Online Cryptography Course 



Dan Boneh 


Introduction 


Course Overview 




Welcome 


Course objectives: 

• Learn how crypto primitives work 

• Learn how to use them correctly and reason about security 

My recommendations: 

• Take notes 

• Pause video frequently to think about the material 

• Answer the in-video questions 
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Cryptography is everywhere 


Secure communication: 

- web traffic: HTTPS 

— wireless traffic: 802.Hi WPA2 (and wep), GSM, Bluetooth 

Encrypting files on disk: EPS, TrueCrypt 
Content protection (e.g. DVD, Blu-ray): CSS, AACS 
User authentication 
... and much much more 
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Secure communication 



◄ 





no eavesdropping 
no tampering 
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Secure Sockets Layer / TLS 


Two main parts 

1. Handshake Protocol: Establish shared secret key 
using public-key cryptography (2'^'^ part of course) 


2. Record Layer: Transmit data using shared secret key 

Ensure confidentiality and integrity (r‘ part of course) 
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Protected files on disk 


Alice 


Disk 



File 2 


► Alice 


No eavesdropping 
No tampering 


Analogous to secure communication: 

Alice today sends a message to Alice tomorrow 
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Building block: sym. encryption 



E, D: cipher k: secret key (e.g. 128 bits) 
m, c: plaintext, ciphertext 

Encryption algorithm is publicly known 
• Never use a proprietary cipher 














Use Cases 


Single use key: (one time key) 

• Key is only used to encrypt one message 

• encrypted email: new key generated for every email 

Multi use key: (many time key) 

• Key used to encrypt multiple messages 

• encrypted files: same key used to encrypt many files 

• Need more machinery than for one-time key 
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Things to remember 

Cryptography is: 

- A tremendous tool 

- The basis for many security mechanisms 

Cryptography is not: 

- The solution to all security problems 

- Reliable unless implemented and used properly 

- Something you should try to invent yourself 

• many many examples of broken ad-hoc designs 
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Introduction 


What is cryptography? 




Crypto core 


Secret key establishment: 


Secure communication: 



attacker??? 




> 





confidentiality and integrity 


Dan Boneh 



















But crypto can do much more 


Digital signatures 


Anonymous communication 




Alice 

signature 


















But crypto can do much more 


Digital signatures 


Anonymous communication 
Anonymous digital cash 

— Can I spend a "digital coin" without anyone knowing who I am? 

— Howto prevent double spending? 


1 


[ shop ] X Who was 



Jnternet 

(anon, comm.) ° 







Protocols 


• Elections 

• Private auctions 



f 



v^wn<r i r w 



K/llflWeir 




c lec 
Cet^it r 
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Protocols 


• Elections 

• Private auctions 


Goal: compute f(Xi, % 2 > ^ 4 ) 



"Thm:" anything that can done with trusted auth. can also 
be done without 


Secure multi-party computation 
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Crypto magic 


Privately outsourcing computation 



E[ query] 
E[ results ] 



Google 


Zero knowledge (proof of knowledge) 


N=p-q 



I know the factors of N !! 
proof Ti 



N 
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A rigorous science 

The three steps in cryptography: 

• Precisely specify threat model 

• Propose a construction 

• Prove that breaking construction under 

threat mode will solve an underlying hard problem 
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Introduction 


History 




History 


David Kahn, 


"The code breakers" (1996) 


THE 

code- 

breakers 


The Compcehensivr Mbtory oT 
Secret Communication from 
AfKient Timet to the Internet 


DAVID KAHN 
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Symmetric Ciphers 
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Few Historic Examples (all badly broken) 

1. Substitution cipher 


^ f "lc2a “) - c " 
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Caesar Cipher 


3 •• 


a 

6 


(no key) 



Dan 


Boneh 






What is the size of key space in the substitution cipher 
assuming 26 letters? 

\X\ = 26 


|?C| = 26! (26 factorial) 


\X\ = 2^6 
1X1 = 26^ 
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How to break a substitution cipher? 


What is the most common letter in English text? 
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How to break a substitution cipher? 


(1) Use frequency of English letters 


U « 
« • 




(2) Use frequency of pairs of letters (digrams) 


«• I n •» <y 'u •' " / i '• 

dVi . j 

j ' / 




a 


C'T Ohly // 
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An Example 

UKBYBIPOUZBCUFEEBORUKBYBHOBBRFESPVKBWFOFERVNBCVBZPRUBOFERVNBCVBPCYYFVUFO 

FEIKNWFRFIKJNUPWRFIPOUNVNIPUBRNCUKBEFWWFDNCHXCYBOHOPYXPUBNCUBOYNRVNIWN 

CPOJIOFHOPZRVFZIXUBORJRUBZRBCHNCBBONCHRJZSFWNVRJRUBZRPCYZPUKBZPUNVPWPCYVF 

ZIXUPUNFCPWRVNBCVBRPYYNUNFCPWWJUKBYBIPOUZBCUIPOUNVNIPUBRNCHOPYXPUBNCUB 

OYNRVNIWNCPOJIOFHOPZRNCRVNBCUNENVVFZIXUNCHPCYVFZIXUPUNFCPWZPUKBZPUNVR 


B 

36 

N 

34 

U 

33 

P 

32 

C 

26 


^ E 

^ T 
^ A 



digrams 


^ IN 
^ AT 


UKB 

6 

RVN 

6 

FZI 

4 


trigrams 


THE 
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2. Vigener cipher (16'th century, Rome) 


k = 


CRYPTO 


CRYPTOCRYPT 


(+ mod 26 ) 


m = WHATANICEDAYTODAY 


c 


Z Z Z JUCLUD TUnIwGCQ S 

f f f 


suppose most common = "H" ^ first letter of key = "H" - "E" = "C" 
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3. Rotor Machines (isyo-ms) 


Early example: the Hebern machine (single rotor) 



Dan Boneh 
















Rotor Machines 


(cont.) 


Most famous: the Enigma (3-5 rotors) 




# keys = 26^ = 2^® (actually 2^® due to plugboard) 
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4 . Data Encryption Standard (1974) 


DES: # keys = 2^® , block size = 64 bits 


Today: AES (2001), Salsa20 (2008) (and many others) 
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Introduction 

Discrete Probability 
(crash course, cont.) 




U: finite set (e.g. U = {0,1}" ) 


Def: Probability distribution P over U is a function P: U —> [0 
such that Z P(x) = 1 

XGU 

Examples: 

1. Uniform distribution: forallxGU: P{x) = l/|U| 

2. Point distribution at Xg: P(Xo) = 1, Vx^^Xg: P{x) = 0 


Distribution vector: ( P(OOO), P(OOl), P(OIO),, P(lll) ) 



Events 


• For a set A£U: Pr[A] = Z P(x) G [0,1] 

xeA 

note: Pr[U]=l 

• The set A is called an event 

Example: U = {0,1}® 

• A = { all X in U such that Isb 2 (x)=ll } 

for the uniform distribution on {0,1}®: Pr[A] = 1/4 
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The union bound 


• For events and A2 

Pr[AiUA2] < Pr[AJ + Pr[A2] 

( 

Example: 

= { all X in {0,1}'^ s.t Isb2(x)=ll } ] A2 = { all x in {0,1}" s.t. nrisb2(x)=ll } 

Pr[ Isb2(x)=ii or msb2(x)=ii ] = Pr[AiUA2] < %+% = 34 
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Random Variables 


Def: a random variable X is a function X:U— 


Example: X: {0,1}"^ {0,1} ; X(y) = Isb(y) £{0,1} 


u 


V 

For the uniform distribution on U: 



lsb =0 


0 

Pr[ X=0 ] = 1/2 , Pr[ X=1 ] = 1/2 



lsb=l 


1 


More generally: 

rand. var. X induces a distribution on V: Pr[ X=v ] := Pr[ X‘^(v) ] 
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The uniform random variable 

Let U be some set, e.g. U = {0,1}" 

We write r U to denote a uniform random variable over U 
for all aGU: Pr[r = a] = 1/|U| 

(formally, r is the identity function: r(x)=x for all xGU ) 
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Let r be a uniform random variable on {0,lP 
Define the random variable X = r.^ + r 2 

Then Pr[X=2] = % 


Hint: Pr[X=2] = Pr[ r=ll ] 
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Randomized algorithms 


inputs outputs 


Deterministic algorithm: y«—A(m) 




Randomized algorithm 

y«— A( m ; r) where r {0,1}" 

output is a random variable 

y A( m ) 

m 

V J 


A(m) 

V j 



m 

V J 


A(m) 

1 , J 


Example: A(m ; k) = E(k, m) , y<-^A(m) 
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Introduction 

Discrete Probability 
(crash course, cont.) 




Recap 

U: finite set (e.g. U = {0,1}" ) 

Prob. distr. P over U is a function P: U —^ [0,1] s.t. I P(x) = 1 

x6U 

A £ U is called an event and Pr[A] = Z P(x) G [0,1] 

X6A 

A random variable is a function X:U—. 

X takes values in V and defines a distribution on V 
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Independence 

Def : events A and B are independent if Pr[ A and B ] = Pr[A] • Pr[B] 

random variables X,Y taking values in V are independent if 
Va,beV: Pr[ X=a and Y=b] = Pr[X=a] • Pr[Y=b] 


Example : U = {0,1}^ = {00, 01,10,11} and r^U 
Define r.v. X and Y as: X = Isb(r) , Y = msb(r) 


Pr[ X=0 and Y=0 ] = Pr[ r=00 ] = % = Pr[X=0] • Pr[Y=0] 
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Review: XOR 


XOR of two strings in {0,1}" is their bit-wise addition mod 2 


X 

y 

y®/ 

o 

o 

O 


1 

1 

) 

o 

1 1 

1 

1 

L-^— 


^0110111 
10 110 10 



) I ^ I 
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An important property of XOR 

Thm : Y a rand. var. over {0,1}" / X an indep. uniform var. on {0,1}" 
Then Z := Y0X is uniform var. on {0,1}" 

Proof: (for n=l) 

Pr[ Z=0 ] = .r v] 

. ^ £u - J- 

2 2. Z 



r 

Pr 


Lit 


o 

Po 


'/2. 


i 


1 



X 

/ 


o 

o 

f-A ^ 

o 

f 

P./2 

1 

O 

Vi 


\ 1 

p.A<^ 
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The birthday paradox 

Let fp G U be indep. identically distributed random vars. 

Thm : when n=1.2x|U|^/^ then Pr[ 3i?tj: r; = rj ] > >2 

notation: | U | is the size of U 

Example : Let U = {0,1}^^^ 

After sampling about 2®^ random messages from L), 
some two sampled messages will likely be the same 
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IU1=10® 1 


T 


T 


1q 


03 

o 

Cl 

c 

o 


o 

u 


0.9 

o.a 

0.7 

06 

0.5 

0.4 

03 

oa 

0.1 

0 



0 500 1000 1500 MOO 



l_I 

2500 3000 


# samples n 


3500 


4000 4500 


5000 
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stream ciphers 


The One Time Pad 




Symmetric Ciphers: definition 

Def : a cipher defined over 

is a pair of "efficient" aigs (f, D) where 

i.i. /cf ^ : oCt^ ^ 


• £ is often randomized. D is always deterministic. 
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The One Time Pad 


(Vernam 1917) 


First example of a "secure" cipher 

n - G- h't , y- 


key = (random bit string as long the message) 
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The One Time Pad 


(Vernam 1917) 


£{ iCjc) - ]C &C. 


msg: 0 110 111 


key: 10 110 10 
CT: 


© 


^ \ceCv-^l/^'j = CtL^kiJ e>‘*r = oS^ = 
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You are given a message (m) and its OTP encryption (c). 
Can you compute the OTP key from m and c ? 


No, I cannot compute the key. 

Yes, the key is k = m ® c. 

I can only compute half the bits of the key. 
Yes, the key is k = m ® m. 
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The One Time Pad 


(Vernam 1917) 


Very fast enc/dec !! 

... but long keys (as long as plaintext) 


Is the OTP secure? What is a secure cipher? 
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What is a secure cipher? 

Attacker's abilities: CT only attack (for now) 

Possible security requirements: 
attempt #1: attacker cannot recover secret key 

attempt #2: attacker cannot recover all of plaintext 

''0^1 J be 

Shannon's idea: 

CT should reveal no "info" about PT 
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Information Theoretic Security 

(Shannon 1949) 

Def : A cipher (E, D) over {X,M,C) has perfect secrecy if 

_____ ^ 

i/L ere cS t/t^L 
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Information Theoretic Security 

Def : A cipher (E,D) over (K,M,C) has perfect secrecy if 
Vitiq, iDi £M ( Irriol = Irriil ) and Vc€C 

Pr[ E(k,mo)=c ] = Pr[ E(l<,mi)=c ] where k«— 

t-P 0*- {•^r- 

^ C-r (k.i okUy- 
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Lemma 

Proof: 

c ■ 

^ ■' I'-j" 


OTP has perfect secrecy. 


Pt [ ' 


i^KeyS. ?/• 

w 


. gfe*,; '<^3 = 

=#) CC^er j?erf^c'{ Secrecy 
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Let m G M and c G C . 


How many OTP keys map m to c 


None 

1 

2 

Depends on m 




Lemma : OTP has perfect secrecy. 

Proof: 

For o-Tp- E=CK^yt<^)-= 

— <£?'T7’ perf^ci £ecr^cy 











The bad news 


• • • 


Thm: perfect secrecy 


|3C| > |>f| 




liah/ pjrac'C^c 


If 
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stream ciphers 

Pseudorandom 

Generators 




Review 


Cipher over (K,M,C): a pair of "efficient" aigs {E, D) s.t. 

V mGM, kGK: D(k, f(k, m)) = m 

Weak ciphers: subs, cipher, Vigener,... 

A good cipher: OTP M=C=K={0,1}" 

E(k, m) = k 0 m , D(k, c) = k 0 c 

Lemma : OTP has perfect secrecy (i.e. no CT only attacks) 
Bad news: perfect-secrecy ^ key-len > msg-len 
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stream Ciphers; making OTP practical 


idea: replace ''random'' key by "pseudorandom" key 







S^ac€, 






Le^. 
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stream Ciphers; 




making OTP practical 
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Can a stream cipher have perfect secrecy? 


O Yes, if the PRG is really "secure" 

O No, there are no ciphers with perfect secrecy 
O Yes, every cipher has perfect secrecy 
O No, since the key is shorter than the message 




stream Ciphers: making OTP practical 


stream ciphers cannot have perfect secrecy !! 

• Need a different definition of security 

• Security will depend on specific PRG 
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ac- 


PRG must be unpredictable 

i/ 16 - is ^yeJi<ic>iie. 


'h-yi 


'h. 



l-H h 


"Tlfiew, 


& 


L 


zr 


¥??M ^ 


U<) - 


I 


Z^lA. 






I'S <■ piro\J^My / 
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PRG must be unpredictable 


We say that G: K—>{0,1}" is predictable if: 


fh f Km 


I,.../ 

^nir vu>h- 


] 

H+/ 


■t 




Def : PRG is unpredictable if it is not predictable 
=> Vi: no "eff" adv. can predict bit (i+1) for "non-neg" £ 
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Suppose G:K— »{0,1}" is such that for all k: XOR(G(k)) = 1 


Is G predictable ?? 

Yes, given the first bit I can predict the second 
No, G is unpredictable 

Yes, given the first (n-l) bits I can predict the n'th bit 
It depends 



L^. 


Weak PRGs (do not use for crypto) 

Y£c\^ A- t'[( -i\ ~*'\) P 

ou bt'fs £rF rCcy 


Se^J= rfj] 


t -rh-f 


glibc random(): 

r[i] ^ ( r[i-3] + r[i-31]) % 2^2 
output r[i] »1 


hw^y- ^se Y-mJok,{) 
■Toj* cry pip {/ 

[e.^. K^rher^s 
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Stream ciphers 

Negligible vs. 
non-negligible 




Negligible and non-negligible 


• In practice : £ is a scalar and 

— £ non-neg: £>1/2^° (likely to happen over 1GB of data) 

— £ negligible: £ < 1/2®° (won't happen over life of key) 

• In theory : £ is a function £: ^ and 

— £ non-neg: 3d: £(A) > l/A'* inf. often (£ > 1/poly, for many \) 

— £ negligible: y6,K>K^\ £(A) < 1/A^ (£< l/poly, for large A) 
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Few Examples 


£(A) = 1/2^ : negligible 

£(A) = 1/Aiooo : 



1/2^ for odd A 
1/Aiooo fQ|- gygp ^ 


Negligible 

Non-negligible 


non-negligible 
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PRGs: the rigorous theory view 

PRGs are "parameterized" by a security parameter A 
• PRG becomes "more secure" as A increases 

Seed lengths and output lengths grow with A 

For every A=l,2,3/... there is a different PRG G;^: 

G^ : K, ^ {0,1}"^^’ 


(in the lectures we will always ignore A ) 
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An example asymptotic definition 

We say that —* {0,1 is predictable at position i if 


there exists a polynomial time (in A) algorithm A s.t. 


K;^[ 




) = G,(k) .1 > 1/2 + £(A) 


i+1 


for some non-negligible function £(A) 
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Stream ciphers 

Attacks on OTP and 
stream ciphers 




Review 


OTP: E(k,m) = m0k , D{k,c) = c 0 k 

Making OTP practical using a PRG: G: K —> {0,1}" 

Stream cipher: E(k,m) = m 0 G(k) , D{k,c) = c 0 G{k) 

Security: PRG must be unpredictable (better def in two segments) 
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Attack 1: two time pad is insecure !! 


Never use stream cipher key more than once !! 

Cl <- mi © PRG(k) 

C 2 <- m 2 © PRG(k) 


Eavesdropper does: 

Cl © C2 



Enough redundancy in English and ASCII encoding that: 

mi © m2 


mi, m2 
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Real world examples 


• Project Venona 


MS-PPTP (WindowsNT): 








6Ck) 


Need different keys for C—>S and S—>C 
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Real world examples 


802.11b WEP; 

'S 




Length of IV: 24 bits 

• Repeated IV after 2^^ = 16M frames 

• On some 802.11 cards: IV resets to 0 after power cycle 
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Avoid related keys 


802.11b WEP; 

'S 


PRG( IV II k) 


IV I ciphetext 



key for frame #1: (1II k) 

key for frame #2: (2 II k) 

• __li L— 10^ 

I 


rot- j^Ag. P^- 

if/ {acf^s ^ Tfr^><r<*5 
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A better construction 



PRG 





i 






\ 

1h> 


=> now each frame has a pseudorandom key 

better solution: use stronger encryption method (as in WPA2) 
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Yet another example: disk encryption 
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Two time pad: summary 


Never use stream cipher key more than once !! 

• Network traffic: negotiate new key for every session (e.g. TLS) 

• Disk encryption: typically do not use a stream cipher 
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Attack 2: no integrity (otp is malleable) 


m 



enc {0k) 


dec ( ©k) 



Modifications to ciphertext are undetected and 
have predictable impact on plaintext 
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Attack 2: no integrity (otp is malleable) 


From: Bob 


From: Eve 


^ o h 
42 ^ <^ 2 . 


enc {0k) 



• • • 





dec ( 0k) 


^ V <2 fVe 

ifS 96 6S 09- H 





Modifications to ciphertext are undetected and 
have predictable impact on plaintext 
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Stream ciphers 

Real-world Stream 
Ciphers 




Old example (software)! RC4 


2048 bits 

128 bits 

seed 




1 byte 
per round 


Used in HTTPS and WEP 
Weaknesses: 

1. Bias in initial output: Pr[ 2"'* byte = 0 ] = 2/256 

2. Prob. of (0,0) is 1/2562 + i/2563 

3. Related key attacks 


(1987) 







Old example (hardware)! CSS (badly broken) 


Linear feedback shift register (LFSR): 



DVD encryption (CSS): 2 LFSRs 
GSM encryption (A5/l,2): 3 LFSRs 
Bluetooth (EO): 4 LFSRs 


- all broken 


Dan Boneh 






Old example (hardware)! CSS (badly broken) 


CSS: seed = 5 bytes = 40 bits 




iliyj -# j-t 

pthevia^ yl^<. 


I - X 


e. 


Ostirty 'Tiroit^ 


hheaiiC cVi 2^^ 
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Cryptanalysis of CSS 


(2^^ time attack) 




© 


encrypted movie 



prefix 



CSS prefix 



For all possible initial settings of 17-bit LFSR do: 

• Run 17-bit LFSR to get 20 bytes of output 

• Subtract from CSS prefix => candidate 20 bytes output of 25-bit LFSR 

• If consistent with 25-bit LFSR, found correct initial settings of both !! 

Using key, generate entire CSS output 
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Modern stream ciphers: 


PRG: 


{0,lp X R 

<___^ yk 

\_ 


{o,ir 




Nonce: a non-repeating value for a given key. 

E(k, m ; r) = m © PRG(k; r) 

The pair (k,r) is never used more than once. 


eStream 
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6Str63m! SbIss 20 (sw+hw) 

Salsa20: {0,1}128 or256 ^ {0,1}64 ^ {0,l}n (max n = 2^3 bits) 

Salsa20{k;r) := H(k,(r, 0)) II H(k,(r, 1)) II... 



h: invertible function, designed to be fast on x86 {SSE2) 













Is Salsa20 secure (unpredictable) ? 


• Unknown: no known provably secure PRGs 

• In reality: no known attacks better than exhaustive search 
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Performance 


AMD Opteron, 2.2 GHz (Linux) 


PRG 

RC4 

Salsa20/12 

Sosemanuk 


eStream - 


Crypto++ 5.6.0 [ Wei Dai ] 


Speed (MB/sec) 

126 

643 

727 
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Generating Randomness (e.g. keys, IV) 


/ entropv 

intenial \ 

generate 

fimction 


pseaudorandom 

output 

^ —1 

state J 




Pseudo random generators in practice: (e.g. /dev/random) 

• Continuously add entropy to internal state 

• Entropy sources: 

• Hardware RNG: Intel RdRand inst. (ivy Bridge). 3Gb/sec. 

• Timing: hardware interrupts (keyboard, mouse) 


NIST SP 800-90: NIST approved generators 
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Stream ciphers 


PRG Security Defs 




Let G:K^{0,ir be a PRG 
Goal : define what it means that 

is "indistinguishable" from 
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Statistical Tests 


Statistical test on 10.1^: ^ 

an alg. A s.t. A(x) outputs "0" or "1" 





c'ff \ fo6()-iki(y)j ^ lo-fTT 
I ■^oo{x) - ^ lo-fPT 


Examples: 

CO 

U) 
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Statistical Tests 


More examples: 

I ■f'i~ vy\a.y~ tfC~o /xj fo- 


Advantage 

Let G:K —>{0,1}" be a PRG and A a stat. test on {0,1}" 


Define: 

fyjv cls^e to L lf( Cai^ JiS't. C- 

cioSe 4.0 o fi CauKoir 



r^aif 


A silly example: A(x) = 0 


AdVpRQ [A,G] — 
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Suppose G:K—»{0,1}" satisfies msb(G(k)) = 1 for 2/3 of keys in K 

Define stat. test A(x) as: 

if [ msb{x)=l ] output "1" else output "0" 


Then 


AdVpRQ [A,G] = 

1 mA(G(k))=r] -'p7[A(r)=l] 1 = 
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Secure PRGs: crypto definition 


Def: We say that G:K— >{0,1}" is a secure PRG if 
Y "e-TT" A-: 


Are there provably secure PRGs? 


but we have heuristic candidates. 
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Easy fact: a secure PRG is unpredictable 

We show: PRG predictable => PRG is insecure 


Suppose A is an efficient algorithm s.t. 



X 




for non-negligible 8 (e.g. 8 = 1/1000) 
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Easy fact: a secure PRG is unpredictable 


Define statistical test B as: 



y. =/] ■> i ^ 
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Thm (Yao'82): an unpredictable PRG is secure 

Let G:K^{0,ir be PRG 

"Thm": if V i G {0,..., n-1} PRG G is unpredictable at pos. i 
then G is a secure PRG. 


If next-bit predictors cannot distinguish G from random 
then no statistical test can II 
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Let G:K —>{0,1}" be a PRG such that 
from the last n/2 bits of G(k) 
it is easy to compute the first n/2 bits. 

Is G predictable for some i G (0,..., n-1} ? 


O Yes ^ 
O No 




More Generally 

Let Pi and P 2 be two distributions over {0,1}" 

Def: We say that P^ and P 2 are 

computationally indistinguishable (denoted ) 

if V M. Ms 



Example: a PRG is secure if { k : G(k) } =p uniform({0,l}") 
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Stream ciphers 


Semantic security 


Goal: secure PRG => ''secure" stream cipher 




What is a secure cipher? 

Attacker's abilities: obtains one ciphertext (for now) 

Possible security requirements: 
attempt #1: attacker cannot recover secret key 

attempt #2: attacker cannot recover all of plaintext 

Recall Shannon's idea: 

CT should reveal no "info" about PT 
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Recall Shannon's perfect secrecy 

Let (E,D) be a cipher over (K,M,C) 

(E,D) has perfect secrecy if Vitiq, nriiEM ( |mol = |mi|) 

{ E(k,mo)} = { E(k,mi)} where k <—K 

(E,D) has perfect secrecy if Vitiq, rni€M ( |mol = |mi| ) 

{ E(k,mo)} =p { E{k,mi)} where k<—K 
... but also need adversary to exhibit mg, mj G M explicitly 
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Semantic Security (one-time key) 


For b=0,l define experiments EXP(O) and EXP(l) as: 



AdVss[A,E] := | Pr[ Wq ] - Pr[ ] | e [0,1] 
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Semantic Security (one-time key) 


Def: E is semantically secure if for all efficient A 

AdVss[A,E] is negligible. 


=> for all explicit mg, e M : { E{k,mo) } =p { E(k,mi) } 
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Examples 

Suppose efficient A can always deduce LSB of PT from CT. 


=> E = (E,D) is not semantically secure. 



Then AdVss[B, E] = | Pr[ EXP(0)=1 ] - Pr[ EXP(1)=1 ] | = 






















OTP is semantically secure 


EXP(O): 



{ 0 , 1 } 


identical distributions 


EXP(l); 





Chal. 

m^, e M : Iniol = |m^l 

Adv.A 


I«-K 

c <— k©im-| 









b' 


{ 0 , 1 } 


For ail A: AdVss[A,OTP] = | Pr[ A(k0mo)=l ] - Pr[ A(k0mi)=l ] 
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Stream ciphers 

Stream ciphers are 
semantically secure 


Goal: secure PRG => semantically secure stream cipher 




Stream ciphers are semantically secure 

Thm: G:K—>{0,1}" is a secure PRG => 

stream cipher E derived from G is sem. sec. 

V sem. sec. adversary A, 3a PRG adversary B s.t. 

AdVss[A,E] < 2 • AdVpRe[B,G] 
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Proof: 



intuition 


p 


p 



mo, mi ^ 



chal. 

r<-{0,l}" 

adv. A 

C < — ^ ^ 


1 

b'^ 

'"P 


T—\ 

E 

O 

E 



chal. 

adv. A 

r<-{0,l}" 

c <— rn^ ^ r 




1 

b'^ 
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Proof: Let A be a sem. sec. adversary. 



Forb=0,l: W,, := [ event that b'=l ]. 

AdVss[A,E] = I Pr[ Wo ] - Pr[ ] | 
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Proof: Let A be a sem. sec. adversary. 



Forb=0,l: W,, := [ event that b'=l ]. 

AdVss[A,E] = I Pr[ Wo ] - Pr[ ] | 


For b=0,l: R^, := [ event that b'=l ] 
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Proof: Let A be a sem. sec. adversary. 


Claim 1: | Pr[Ro] - Pr[Rj | = 

Claim 2: 3B: | Pr[Wj - Pr[Rb] | = 6 -} 


0 


iI II II 



-for t 

-^- 

1 


AdVss[A,E] = I Pr[Wo] - Pr[Wj | < 2 • AdVpRjB,G] 
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Proof of claim 2: 3B: | Pr[Wo] - Pr[Ro] | = AdVpRG[B,G] 


Algorithm B: 
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Block ciphers 


What is a block cipher? 






Block ciphers: crypto work horse 



Canonical examples: 

1. 3DES: n= 64 bits, k = 168 bits 

2. AES: n=128 bits, k = 128, 192, 256 bits 
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Block Ciphers Built by Iteration 



R(k,m) is called a round function 


for 3DES (n=48), for AES-128 (n=10) 























stream block 


Performance: 


AMD Opteron, 2.2 GHz 

Cipher 
I RC4 

Salsa20/12 

Sosemanuk 

3DES 


( Linux) 

Block/kev size 


AES-128 


64/168 

128/128 


Crypto-i-i- 5.6.0 [ Wei Dai ] 


Speed (MB/sec) 

126 

643 

727 

13 

109 
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Abstractly: PRPs and PRFs 

• Pseudo Randonn Function (PRF) defined over (K,X,Y): 

F: KxX ^ Y 

such that exists ''efficient'' algorithm to evaluate F(k,x) 


• Pseudo Random Permutation (PRP) defined over (K,X): 

E: KxX ^ X 

such that: 

1. Exists "efficient" deterministic algorithm to evaluate E(k,x) 

2. The function E( k, •) is one-to-one 

3. Exists "efficient" inversion algorithm D(k,y) 
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Running example 


Example PRPs : 3DES, AES, .. 
AES: K X X -5- X where 
3DES: KxX ^ X where 


K = X = {0,lp8 
X = {0,lp, K = {0,lp8 


Functionally, any PRP is also a PRF. 

— A PRP is a PRF where X=Y and is efficiently invertible. 



Secure PRFs 




Let F: KxX ^ 
"Funs[X,Y]: 




Y beaPRF 

the set of all functions fronn X to Y 


Sp= { F(k,*) s.t. kGK } C Funs[X,Y] 

^ ' 


Intuition : a PRF is secure if 

a random function in Funs[X,Y] is indistinguishable from 
a random function in Sc 




Funs[X,Y] 



|X| 


Size |K| 
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Secure PRFs 

• Let F: K X X ^ Y be a PRF 

Funs[X,Y]: the set of all functions from X to Y 

Sp = { F(k,*) s.t. kGK } C Funs[X,Y] 


• Intuition : a PRF is secure if 

a random function in Funs[X,Y] is indistinguishable from 























Secure PRPs (secure block cipher) 


• Let E: K X X ^ Y be a PRP 

Pernns[X]: the set of all one-to-one functions from X to Y 

Sp = { E(k/) s.t. kEK } C Perms[X,Y] 


Intuition : a PRP is secure if 

a random function in Perms[X] is indistinguishable from 
a random function in Sp 






Ti(x) or E(k,x) ? 























Let F: K X X ^ {0,lp8 be a secure PRF. 

Is the following G a secure PRF? 

0^28 if x=0 

G(k; x) = 

F(k,x) otherwise 

^ O No, it is easy to distinguish G from a random function 
O Yes, an attack on G would also break F 
O It depends on F 


An easy application: PRF ^ PRG 

Let F: K X {0,1}" ^ {0,1}" be a secure PRF. 

Then the following G: K-*■ {0,1}"‘ is a secure PRG: 

G(k)= F(k,0) II F(k,l) II II F(k,t-1) 

Key property: parallelizable 

Security from PRF property: F(k, •) indist. from random function f(-) 
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Block ciphers 


The data encryption 
standard (DES) 






Block ciphers: crypto work horse 


n bits 
PT Block 



n bits 
CT Block 


Key 


k Bits 


Canonical examples: 

1. 3DES: n= 64 bits, k = 168 bits 

2. AES: n=128 bits, k = 128, 192, 256 bits 
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Block Ciphers Built by Iteration 



R(k,m) is called a round function 


for 3DES(n=48), for AES-128 (n=10) 























The Data Encryption Standard (DES) 

• Early 1970s: Horst Feistel designs Lucifer at IBM 

key-len = 128 bits ; block-len = 128 bits 

• 1973: NBS asks for block cipher proposals. 

IBM submits variant of Lucifer. 

• 1976: NBS adopts DES as a federal standard 

key-len = 56 bits ; block-len = 64 bits 

• 1997: DES broken by exhaustive search 

• 2000: NIST adopts Rijndael as AES to replace DES 


Widely deployed in banking (ACH) and commerce 
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n-bits n-bits 


DES: core idea - Feistel Network 


Given functions f^,{0,1}" —> {0,1}" 

Goal: build invertible function F: {0,1}^" —» {0,1}^" 






Ro 


Ri 

© 

^0 

© • 

Li 

© 


input 



^d-1 

(TT) 

Rd 




Ld-i 

© 

Ld 


output 


In symbols: 
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n-bits n-bits 







Ro 

© 

Ri 

© . 

R2 

^0 

© 

Li 

© 

^2 


input 


Claim: for all f^,{0,1}" — 
Feistel network F: {0,1}^" 
Proof: construct inverse 






Ri-i 

CD 

© 

Ri 

inverse 

Li-i 

Li 



^d-l 


Rd 




Ld-i 

© 

Ld 


output 


{0,1}" 

{0,1}^" is invertible 


¥ 
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n-bits n-bits 







Ro 


Ri 


R2 

^0 

-.-r- 

Li 

> © 

Lj 


input 


Claim: for all f^,{0,1}" — 
Feistel network F: {0,1}^" 
Proof: construct inverse 



inverse 



{0,1}" 

{0,1}^" is invertible 
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n-bits n-bits 


Decryption circuit 




• Inversion is basically the same circuit, 

with fj,applied in reverse order 

• General method for building invertible functions (block ciphers) 
from arbitrary functions. 

• Used in many block ciphers ... but not AES 
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^Thm:” (Luby-Rackoff'85): 


f: K X {0,1}" —^ {0,1}" a secure PRF 

=> 3-round Feistel F: x {0,1}^" —> {0,1}^" a secure PRP 









output 
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DES: 16 round Feistel network 


f-if;! {0,1} 


32 


16 


{ 0 , 1 } 


32 



key expansion 


kjjc 


• • • 


fi(x) = F( ki, X) 

t_ 

Key K 


06 . 


16 round 
Feistel network 



input 


To invert, use keys in reverse order 


output 


















32.- 

i X -I 


The function F(ki, x) 


I- 


4> 






( ^ f 


/ 

[5j 

rV) 

* 4 + ' 

4 *^ 

^ ^ 






1 ^2-hcisl 

I- — *1 la.- / 


S-box: function {0,1P—^ {0,1}'* / implennented as look-up table. 
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The S-boxes 




{o,ir 


S 5 

Middle 4 bits of input 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

1111 

00 

0010 

1100 

0100 

0001 

0111 

1010 

1011 

0110 

1000 

0101 

0011 

1111 

1101 

0000 

1110 

1001 

01 

1110 

1011 

0010 

1100 

0100 

0111 

1101 

0001 

0101 

0000 

1111 

1010 

0011 

1001 

1000 

0110 

uutGr DitS 

10 

0100 

0010 

0001 

1011 

1010 

1101 

0111 

1000 

1111 

1001 

1100 

0101 

0110 

0011 

0000 

1110 

11 

1011 

1000 

1100 

0111 

0001 

1110 

0010 

1101 

0110 

1111 

0000 

1001 

1010 

0100 

0101 

0011 
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Example: a bad S-box choice 

Suppose: 

S,(x^, Xj, Xg) = ( X20X3, X30X40X5, X30Xg, X20X30Xg ) 


or written equivalently: S|(x) = A| X (mod 2) 


011000 


Y 


X20X3 

Xi0X40X5 

Xi0X6 

X 20 X 30 Xg 

100110 

100001 

• 

Ai 

X 2 

Y 

— 

011001 


^3 




X 4 




X 5 





Xe 




We say that S, is a linear function. 
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Example: a bad S-box choice 

Then entire DES cipher would be linear: a fixed binary matrix b s.t. 


832 


DES(k,m) = 64 

B 

• 

m 

ki 

^2 

— 

C 




• 

• 

• 

^16 




(mod 2) 


But then: 



DES(k,mi) © DES(k,m2) © DES(k,m3) = DES(k, mi©m2©m 


B 


© B 

m2 

© B 

m3 


k 


k 


k 


B 


mi0m20m3 

k0k0k 
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Choosing the S-boxes and P-box 

Choosing the S-boxes and P-box at random would result 
in an insecure block cipher (key recovery after =2^''outputs) [BS'89] 


Several rules used in choice of S and P boxes: 

• No output bit should be close to a linear func. of the input bits 

• S-boxes are 4-to-l maps 
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Block ciphers 


Exhaustive Search 
Attacks 






Exhaustive Search for block cipher key 


Goal: given a few input output pairs (nrii, C| = E(k, rrii)) i=l,..,3 
find key k. 

Lemma: Suppose DES is an /c/eo/c/p/ier 

( 2^® random invertible functions ) 

Then V m, c there is at most one key k s.t. c = DES(k, m) 

with prob. > 1 -1/256 = 99.5% 


Proof: 6 

<L ^ sr OFi^Kyi^Jl ^ "L*- 

Ic'tfot'] -* 
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Exhaustive Search for block cipher key 


For two DBS pairs (nrii, Ci=DES(k, m^)), (m 2 , C 2 =DES(k, m 2 )) 
unicity prob. = 1 -1/2^^ 

For AES-128: given two inp/out pairs, unicity prob. = 1 -1/2^^® 


^ two input/output pairs are enough for exhaustive key search. 
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DES challenge 

msg = '"'"The unknown messages is: XXXX ... 

CT — C 2 

Goal: find k e {0,1P® s.t. DES{k, m|) = C| for i=l,2,3 

1997: Internet search -- 3 months 

1998: EFF machine (deep crack) -- 3 days (250K $) 

1999: combined search -- 22 hours 

2006: COPACOBANA (120 FPGAs) - 7 days (lOK $) 

^ 56-bit ciphers should not be used II (i 28 -bit key => 2^2 ^ays) 
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strengthening DES against ex. search 

Method 1: Triple-DES 

• Let E : K X M —> M be a block cipher 

• Define 3E: x M —» M as 

3e( (ki,k 2 ,k 3 ), m) = B(^t, 0 

^ 5c*vp/f 

For 3DES: key-size = 3x56 = 168 bits. 3xslower than DES. 


(simple attack in time =2^^^) 
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Define 




Why not double DES? 

2E( (ki,k 2 ), m) = E(ki,E(k 2 ,m)) 



Attack: M = (mi,..., m^o) ; C = (Ci,...,Cio). 


key-len = 112 bits for DES 

if, 

!/ ^ } j® ^ 




• step 1: build table, 
sort on 2"*^ column 


ko = 00...00 

E(k'’, M) 

Ri = 00...01 

E(ki, M) 

k2 = 00...10 

E(k 2 , M) 

k'^ = 11...11 

E(kN, M) 


256 

entries 
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Meet in the middle attack 



Attack: M = m^^o) , C = {Ci,...,Cio) 

• step 1: build table. 


• Step 2: for all ks{0,iP®do: 

test if D(k, C) is in 2"^ column. 

if so then E(k',M) = D(k,C) ^ (k',k) = (k 2 ,ki) 


k° = 00...00 
= 00...01 

E(k°, M) 
E(ki, M) 

fk^ = 00...10 

E(k 2 , M) 

k'^ = 11...11 

E(k'^, M) 
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Meet in the middle attack 



Time = 2^®log(2^ 

{•tfe 


+ 2^^og(2^^) < 


« 2^^^ , space = 2^® 


i£aYck At 

k^l^e. 


Same attack on 3DES: Time = 2^^^ , space = 2^® 


m 


E(k3, •) 


E(k2, •) 


E(ki, •) 






















Method 2: DESK 

E : K X {0,1}" —^ {0,1}" a block cipher 

Define EX as EX( (ki,k 2 ,k 3 ), m) = k^ 0 E(k 2 , m0k3) 
For DESX: key-len = 64+56+64 = 184 bits 

... but easy attack in time (homework) 

Note: kj 0 E(k 2 , m) and E(k 2 , m0k3) does nothing !! 
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Block ciphers 


More attacks on 
block ciphers 






Attacks on the implementation 

1. Side channel attacks: 

— Measure time to do enc/dec, measure power for enc/dec 



2 . Fault attacks: 


- Computing errors in the last round expose the secret key k 


do not even implement crypto primitives yourself... 
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Linear and differential attacks 


[BS'89,M'93] 


Given many inp/out pairs, can recover key in time less than 2^®. 

Linear cryptanalysis (overview): let c = DES(k, m) 

Suppose for random k,m : 

Pr[ m[iJ0 -0m[ir] 0 c[jj]0-0c[jj = k[IJ0-0k[IJ ] = 34 + £ 

O'f s>J»sei 

For some s. For DBS, this exists with s = 1/2^^ ~ 0.0000000477 
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Linear attacks 

Pr[ m[ij© •©m[ir] 0 c[jj]© -©cQJ = k[IJ© •©k[IJ ] = 

Thm: given 1/s^ random (m, c=DES(k, m)) pairs then 

k[li,...,IJ = MAJ [ m[ii,...,ij 0 ] 

with prob. > 97.7% 

^ with l/s^ inp/out pairs can find k[li,...,ly] in time =1/8^ 


y2 + 8 
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Linear attacks 


For DBS, 8 = 1/221 => 

with 2‘i2 inp/out pairs can find in time 2 ^^ 

Roughly speaking: can find 14 key "bits" this way in time 2 ^^ 

Brute force remaining 56-14=42 bits in time 2 ^^ 

Total attack time («2^®) with 2 ^^ random inp/out pairs 
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Lesson 


A tiny bit of linearly in S 5 lead to a 2^*^ time attack. 
^ don't design ciphers yourself I! 
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Quantum attacks 


Generic search problem: 

Let f: X —> {0,1} be a function. 

Goal: find x^X s.t. f(x)=l. 

Classical computer: best generic algorithm time = 0( |X| ) 

Quantum computer [Grover '96] : time = 0( | X | ) 

Can quantum computers be built: unknown 

Dan Boneh 



Quantum exhaustive search 


Given m, c=E(k,m) define 1 jf E{k,m) = c 

f(k) = 

0 otherwise 

Grover => quantum computer can find k in time 0(|K|^/^) 
DES: time =2^8 , AES-128: time =2®^ 


quantum computer ^ 256-bits key ciphers (e.g. AES-256) 
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Block ciphers 


The AES block cipher 






The AES process 

• 1997: NIST publishes request for proposal 

• 1998: 15 submissions. Five claimed attacks. 

• 1999: NIST chooses 5 finalists 

• 2000: NIST chooses Rijndael as AES (designed in Belgium) 

Key sizes: 128,192, 256 bits. Block size: 128 bits 
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input 


AES is a Subs-Pernn network (not Feistel) 



subs. perm, 
layer layer 


• • • 





inversion 
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output 




















AES-128 schematic 


4 


I 10 rounds 

I --1 
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The round function 

ByteSub: albyteS-box. 256 byte table (easily computable) 


• ShiftRows: 


* MixColumns; 


^^ 0,0 

*^^ 0,1 

‘^ 0,2 

^^ 0,3 


^^ 1,0 

‘^ 1,1 

■^ 1.2 

■^ 1,3 

rUJLLKi 

^^ 2,0 

■^ 2.1 

■^ 2,2 

■^ 2.3 


•^^ 3,0 

‘^ 3,1 

■^ 3,2 

■^ 3,3 

rnTT>.n 


o 

o 


^^ 0,2 

‘^ 0,3 

■^ 1.1 

‘^ 1,2 

■^ 1,3 

^^ 1,0 

■^ 2.2 

‘^ 2,3 

^^ 2,0 

■^ 2,1 

■^ 3,3 

^^ 3,0 

■^ 3.1 

■^ 3,2 


MixColiimns () 












^^0 ,c 





. 

, 

^^0,0 

^^0,2 

^^0,3 


‘^0,0 

^0,2 

‘ fo ,3 

•^1,0 

‘^ l,c 

•^1,2 

‘^1.3 


^^1.0 


\2 

■^ i ,3 

*^2,0 


■^2,2 

‘^2,3 


‘^2,0 


■^2,2 

‘^2,3 

‘^3,0 

‘^3 ,c 

■ S .2 

‘^3,3 


■^3,0 

^^3 ,c 

^3,2 

‘^3,3 
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Code size/performance tradeoff 



Code size 

Performance 

Pre-compute 


fastest: 

round functions 

largest 

table lookups 

(24KB or 4KB) 


and xors 

Pre-compute 

S-box only (256 bytes) 

smaller 

slower 

No pre-computation 

smallest 

slowest 
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Example: 


Javascript AES 


AES in the browser: 



AES library (6.4KB) 

< - 

no pre-computed tables 


Prior to encryption: 

pre-compute tables 

Then encrypt using tables 



http://crypto.stanford.edu/sjcl/ 
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AES in hardware 


AES instructions in Intel Westmere: 

• aesenc, aesenclast; do one round of AES 

128-bit registers: xmml=state, xmm2=round key 
aesenc xmml, xmm2 ; puts result in xmml 

• aeskeygenassist: performs AES key expansion 

• Claim 14 X speed-up over OpenSSL on same hardware 

Similar instructions on AMD Bulldozer 
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Attacks 


Best key recovery attack: 

four times better than ex. search [bkr'ii] 


Related key attack on AES-256: [BK'09] 

Given 2^^ inp/out pairs from four related keys in AES-256 
can recover keys in time 
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Block ciphers 


Block ciphers from PRGs 






Can we build a PRF from a PRG? 


Let G: K —» be a secure PRG 

Define 1-bit PRF F: K x {0,1} ^ K as 

F(k,xe{0,l}) = G(k)[x] 



G(k)[0] G(k)[l] 


Thm: If G is a secure PRG then F is a secure PRF 
Can we build a PRF with a larger domain? 
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Extending a PRG 

Let G: K ^ K2 . 

define as Gi(k) = G(G{k)[0]) II G(G(k)[l]) 


We get a 2-bit PRF: 


k 

G 


F(k, xe{o,l}2) = Gi(k)[x] 

G(k)[0] 

G 

G(k)[l] 

G 


00 

01 

10 

11 


Gi(k) 
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G(k)[0] 

G(k)[l] 

G 

G 

00 01 

10 11 


Gi(k) 


random in 


is a secure PRG 



p 
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Extending more 


Let G: K ^ K 2 . 


define G2:K^K8 as G2(k) = 


tViil 

Mot'S. 


We get a 3 -bit PRF 



G(k)[0] 

G(L)[i}/ 


G 







X 





000 

001 

010 

oil 

100 

110 

111 

1^ 






1 



Gjik) 
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Extending even more: the GGM PRF 


Let G: K ^ K2. define PRF F: K x {0,1}" ^ K as 
For input x = Xq ... x^.^^ e {0,1}" do: 


k 

G(k)[Xo] 

ki 

G(ki)[xJ 

kn 

G(k2)[X2] 

ko 



1 


2 


3 


G(l<n-l)[Vl] k„ 


Security: G a secure PRG ^ F is a secure PRF on {0,1}". 


Not used in practice due to slow performance. 
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Secure block cipher from a PRG? 


Can we build a secure PRP from a secure PRG? 


O No, it cannot be done 

O Yes, just plug the GGM PRF into the Luby-Rackoff theorem 

O It depends on the underlying PRG 

O 
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Using block ciphers 


Review: PRPs and PRFs 






Block ciphers: crypto work horse 



Canonical examples: 

1. 3DES: n= 64 bits, k = 168 bits 

2. AES: n=128 bits, k = 128, 192, 256 bits 
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Abstractly: PRPs and PRFs 

• Pseudo Randonn Function (PRF) defined over (K,X,Y): 

F: KxX ^ Y 

such that exists ''efficient'' algorithm to evaluate F(k,x) 


• Pseudo Random Permutation (PRP) defined over (K,X): 

E: KxX ^ X 

such that: 

1. Exists "efficient" deterministic algorithm to evaluate E(k,x) 

2. The function E( k, •) is one-to-one 

3. Exists "efficient" inversion algorithm D(k,x) 
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Secure PRFs 




Let F: KxX ^ 
"Funs[X,Y]: 




Y beaPRF 

the set of all functions fronn X to Y 


Sp= { F(k,*) s.t. kGK } C Funs[X,Y] 

^ ' 


Intuition : a PRF is secure if 

a random function in Funs[X,Y] is indistinguishable from 
a random function in Sc 




Funs[X,Y] 



|X| 


Size |K| 
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Secure PRF: definition 

• For b=0,l define experiment EXP(b) as: 

b 






Chal. 

b=0: k^K, f^F(k,-) 

Adv. A 



f 

b=l: f^Funs[X,Y] , X 2 ,x^ 








f(^l) } f(^2)' 






i b' G {0,1} 

• Def: F is a secure PRF if for all "efficient" A: EXP(b) 

AdVpRp[A,F] := | Pr[EXP(0)=l] - Pr[EXP(l)=l] | 


is "negligible." 


Dan Boneh 














Secure PRP (secure block cipher) 

• For b=0,l define experiment EXP(b) as: 



AdVpRp[A,E] = I Pr[EXP(0)=l] - Pr[EXP(l)=l] 


is "negligible." 
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Let X = {0,1}. Perms[X] contains two functions 


Consider the following PRP: 

key space K={0,1}; input space X = {0,1}, 
PRP defined as: 

E(k,x) = x0k 

Is this a secure PRP? 

O Yes 
O No 

O It depends 

O 


o 1 

i i 

S 0 

c I 


o i 



^ 1 



Example secure PRPs 


• PRPs believed to be secure : 
AES-128: KxX ^ X 


3DES, AES, ... 
where K = X = {0,lp8 


• An example concrete assumption about AES: 

All 2^°-time aigs. A have AclVpRp[A, AES] < 2’^° 
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Consider the 1-bit PRP from the previous question: E(k,x) = x0k 


Is it a secure PRF? 

Note that Funs[X,X] contains four functions 




O Yes 
^ O No 

O It depends 

O 



Attacker A: 

(1) query f( ) at x=0 and x=l 

(2) if f(0) = f(l) output " 1 ", else " 0 " 
AdVpRF[A,E]= lO-y^l =y 











PRF Switching Lemma 

Any secure PRP is also a secure PRF, if |X| is sufficiently large. 


Lemma : Let E be a PRP over {K,X) 

Then for any q-query adversary A: 


I AdVpRp [A,E] - AdVpRp[A,E] | < (qV2|xD 
-- '■-• 

_ 


^ Suppose |X| is large so that q^/2|X| is "negligible" 

Then Advppp [A,E] "negligible" => AdVppp[A,E] "negligible" 
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Final note 


• Suggestion: 

— don't think about the inner-workings of AES and 3DES. 

• We assume both are secure PRPs and will 
see how to use them 
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Using block ciphers 


Modes of operation: 
one time key 


example: encrypted email, new key for every message. 






Using PRPs and PRFs 

Goal : build "secure" encryption from a secure PRP (e.g. AES). 

This segment: one-time keys 

1. Adversary's power: 

Adv sees only one ciphertext (one-time key) 

2. Adversary's goal: 

Learn info about PT from CT (semantic security) 
Next segment: many-time keys (a.k.a chosen-plaintext security) 
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Incorrect use of a PRP 


Electronic Code Book (ECB): 

PT: 

1 1 mi 1 1 m, 



CT: 

1 1 Cl C2 



Problem : 

- if mi=m 2 then c^=C 2 
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In pictures 




Encrypted with AES in ECB 


(courtesy B. Preneel) 


Dan Boneh 



















Semantic Security (one-time key) 


EXP(O): 



one time key adversary sees only one ciphertext 


EXP(l): 



AdVss[A,OTP] = I Pr[ EXP(0)=1 ] - Pr[ EXP(1)=1 ] | should be "neg." 
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ECB is not Semantically Secure 


ECB is not semantically secure for messages that contain 
more than one block. 


















Secure Construction 


Deterministic counter mode from a PRF F : ^ v 


•DETCTR 


(k, m) = 




© 


m[0] 

m[l] 

• • • 

m[L] 


F(k,0) 

F(k,l) 

• • • 

F(k,L) 



c[0] 

c[l] 

• • • 

c[L] 


^ Stream cipher built from a PRF (e.g. AES, 3DES) 
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Det. counter-mode security 

Theorem : For any L>0, 

If F is a secure PRF over (K,X,X) then 

is sem. sec. cipher over (K,XSX‘-). 

In particular, for any eff. adversary A attacking 
there exists a n eff. PRF adversary B s.t.: 

AdVss[A, Eq£J(-jr] ~ 2 • AdVpp[p[B, F] 


AdVpRplB, F] is negligible (since F is a secure PRF) 
Hence, Adv55[A, must be negligible. 
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Proof 



nrio, 





c 

mO 



F(k,0)... F(k,L) 




nrio, nrii 



chal. 

f<-Funs 


mo, 





c 

mO 



f(0)... f(L) 



ib’Hj 


P 


mg, mi 
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Using block ciphers 


Security for 
many-time key 


Example applications : 

1. Filesystems: Same AES key used to encrypt many files. 

2. IPsec: Same AES key used to encrypt many packets. 






Semantic Security for many-time key 


Key used more than once ^ adv. sees many CTs with same key 

Adversary's power; chosen-plaintext attack (CPA) 

• Can obtain the encryption of arbitrary messages of his choice 

(conservative modeling of real life) 

Adversary's goal: Break sematic security 


Dan Boneh 



Semantic Security for many-time key 

E = (E,D) a cipher defined over (K,M,C). For b=0,l define EXP(b) as: 


b 

^ 

Chal. 


Adv. 



k^K 

mio,miieM: Irriipl = |miJ 










Cl ^ E(k, nil „) 
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Semantic Security for many-time key 

E = (E,D) a cipher defined over (K,M,C). For b=0,l define EXP(b) as: 


b 

^ 

Chal. 


Adv. 



k^K 

^ *^2,0 ' *^2,1 ^ M : 1 nn 2 0 1 - 1 1^2 ^ | 










Cj ^ E(k, „) 
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Semantic Security for many-time key (cpa security) 

E = (E,D) a cipher defined over (K,M,C). For b=0,l define EXP(b) as: 



if adv. wants c = E{k, m) it queries with mj Q=mj ^=m 


Def: E is sem. sec. under CPA if for all "efficient" A: 

AdVcpA[A,E] = I Pr[EXP(0)=l]-Pr[EXP(l)=l] | is "negligible." 
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Ciphers insecure under CPA 

Suppose E{k,m) always outputs same ciphertext for msg m. Then: 


Chal. 

k^K 


nrio, rrio E M 


c„ ^E(k, mn) 



rrin, rrii EM 



c ^ E(k, nib) 

-^ 


Adv. 


output 0 
if c = Cn 


So what? an attacker can learn that two encrypted files are 

the same, two encrypted packets are the same, etc. 


Leads to significant attacks when message space M is small 
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Ciphers insecure under CPA 

Suppose E{k,m) always outputs same ciphertext for msg m. Then: 


Chal. 

k^K 


nrio, rrio E M 


c„ ^E(k, mn) 



rrin, rrii EM 



c ^ E(k, nib) 

-^ 


Adv. 


output 0 
if c = Cn 


If secret key is to be used multiple times ^ 

given the same plaintext message twice, 
encryption must produce different outputs. 
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Solution 1: randomized encryption 


E(k,m) is a randomized algorithm: 



encrypting same msg twice gives different ciphertexts (w.h.p) 

ciphertext must be longer than plaintext 

Roughly speaking: CT-size = PT-size + "# random bits" 
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Let F: K X R —» M be a secure PRF. 


For m^M define E(k,m) = [ r^R, output (r, F(k,r)0m) ] 

Is E semantically secure under CPA? 

O Yes, whenever F is a secure PRF 
O No, there is always a CPA attack on this system 
O Yes, but only if R is large enough so r never repeats (w.h.p) 
O It depends on what F is used 



Solution 2: nonce-based Encryption 



• nonce n: a value that changes from msg to msg. 

(k,n) pair never used more than once 


• method 1 : nonce is a counter (e.g. packet counter) 

- used when encryptor keeps state from msg to msg 

- if decryptor has same state, need not send nonce with CT 


m 


method 2 : encryptor chooses a random nonce, n c]Y 
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CPA security for nonce-based encryption 


System should be secure when nonces are chosen adversarially. 



All nonces {n^ n.} must be distinct. 


Def: nonce-based E is sem. sec. under CPA if for all "efficient" A: 
Adv^cpA [A,E] = I Pr[EXP(0)=l] - Pr[EXP{l)=l] | is "negligible." 
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Let F: K X R—» M be a secure PRF. Let r = 0 initially. 


Is E 

O 

O 

o 

o 


define E(k,m) = [ r++, output (r, F(k,r)0m) ] 



CPA secure nonce-based encryption? '• 

Yes, whenever F is a secure PRF 

No, there is always a nonce-based CPA attack on this system 
Yes, but only if R is large enough so r never repeats 
It depends on what F is used 


Is E 

O 

O 

o 

o 
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Using block ciphers 


Modes of operation: 
many time key (CBC) 


Example applications : 

1. Filesystems: Same AES key used to encrypt many files. 

2. IPsec: Same AES key used to encrypt many packets. 






Construction!: CBC with random IV 

Let (E,D) be a PRP. EcBclk/iri): choose random IV^X and do: 

1 ^ 



ciphertext 
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Decryption circuit 

In symbols: c[0] = E(k, IV0m[O]) ^ m[0] = 
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CBC: CPA Analysis 

CBC Theorem : For any L>0, 

If E is a secure PRP over (K,X) then 
E^bc is a sem. sec. under CPA over (K, X'-, 

In particular, for a q-query adversary A attacking E(-bc 
there exists a PRP adversary B s.t.: 

AdVcpA [A, EcbJ ^ 2-AdVpBp[B, E] + 2 qHV |X| 


Note: CBC is only secure as long as « |X| 
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An example 


/-\ 

AdVcpA [A, Ecbc] ^ 2-PRP Adv[B, E] + 2 LV |X| 

\_ J 

q = # messages encrypted with k , L = length of max message 

Suppose we want Adv^pA [A, E^bc] ^ 1/2^^ / |X| < 1/ 2^^ 

• AES: |X|=2i28 => qL<248 

So, after 2^® AES blocks, must change key 


=5^ q 


3DES: |X|=264 


L<2i6 
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Warning: anattackonCBCwithrand.lv 


CBC where attacker can predict the IV is not CPA-secure !! 


Suppose given c«— E(-Bc(l</rn) can predict IV for next message 



OEX 


Cl ^ [ IVi, E{k, 0©IVi) ] 

.me=IV©IVi, 

9^ nriQ 

c ^ [ IV, E(k, 

^- ► 


c ^ [ IV, E(k, mi©IV) ] 


ta Adv. 1 


predict IV 


output 0 
ifc[l] = q[l] 


Bug in SSL/TLS 1.0: IV for record #i is last CT block of record #(i-l) 


Dan Boneh 















Construction 1': nonce-based CBC 


Cipher block chaining with unique nonce: key = {k,ki) 

unique nonce means: (key, n) pair is used for only one message 


























































An example Crypto API (OpenSSL) 


void AES_cbc_encrypt{ 

const unsigned char *in, 
unsigned char *out, 
size_t length, 
const AES_KEY *key, 
unsigned char *ivec, <— 

AES_ENCRYPT or AES_DECRYPT); 



When nonce is non random need to encrypt it before use 
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A CBC technicality: padding 
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End of Segment 



Online Cryptography Course 


Dan Boneh 



Using block ciphers 


Modes of operation: 
many time key (CTR) 


Example applications : 

1. Filesystems: Same AES key used to encrypt many files. 

2. IPsec: Same AES key used to encrypt many packets. 






Construction 2: rand ctr-mode 

Let F: K X {0,1}" —^ (0,1}" be a secure PRF. 

E(k,m): choose a random IV £{0,1}" and do: 


msg 



note: parallelizable (unlike CBC) 
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Construction 2': nonce ctr-mode 


msg 


IV 


m[0] 

m[l] 

• • • 

m[L] 


F(k,IV) 

F(k,IV+l) 

• ■ • 

F(k,IV+L) 


© 



■ • “ '.-lb, ■ > 

V ."1 . ' : 

IV 

L c[o] 

C[l] 

... 

c[L] 



ciphertext 


To ensure F(k,x) is never used more than once, choose IV as: 

128 bits 


IV: 


nonce 


counter 


starts at 0 
for every msg 


64 bits 


64 bits 
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rand ctr-mode (rand. IV): CPA analysis 

• Counter-mode Theorem : ForanyL>0, 

If F is a secure PRF over (K,X,X) then 

Ectr is a sem. sec. under CPA over (K,X'-,X'-'^^). 

In particular, for a q-query adversary A attacking E^r 
there exists a PRF adversary B s.t.: 

' ^CTr] - 2-AdVpRF[B, F] + 2qH/ |X| 


Note: ctr-mode only secure as long as q^L « | X | . Better than CBC ! 
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An example 


/-\ 

^ctr] - 2-AdVpRp[B,E] + 2qH/|X| 

\___ J 

q = # messages encrypted with k , L = length of max message 

Suppose we want Adv^pA [A, E^jr] ^ 1/2^^ <= L/|X| < 1/ 2^^ 

• AES: I X I = 2^28 => q < 2^8 

So, after 2 ^^ CTseachoflen 2^^, must change key 

(total of 2®^ AES blocks) 
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Comparison: ctrvs. CBC 



parallel processing No Yes 

Security of rand. enc. q''2 L''2 « |X| q''2 L « |X| 

dummy padding block Yes No 

1 byte msgs (nonce-based) 16x expansion no expansion 


(for CBC, dummy padding block can be solved using ciphertext stealing) 
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Summary 


• PRPs and PRFs: a useful abstraction of block ciphers. 

• We examined two security notions: (security against eavesdropping) 

1. Semantic security against one-time CPA. 

2. Semantic security against many-time CPA. 

Note: neither mode ensures data integrity. 

• Stated security results summarized in the following table: 



one-time key Many-time key (CPA) 


CPA and 
integrity 


Sem. Sec. 


steam-ciphers 
det. ctr-mode 


rand ctr-mode 


rand CBC 


later 
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Further reading 

• A concrete security treatment of symmetric encryption: 
Analysis of the DES modes of operation, 

M. Bellare, A. Desai, E. Jokipii and P. Rogaway, FOCS 1997 

• Nonce-Based Symmetric Encryption, P. Rogaway, FSE 2004 
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Message integrity 


Message Auth. Codes 






Message Integrity 

Goal: integrity, no confidentiality. 

Examples: 

- Protecting public binaries on disk. 

- Protecting banner ads on web pages. 
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Message integrity: MACs 


k 

Alice 


message m 


tag 


> 


Bob 


Generate tag: 
tag ■«- S(k, m) 


Verify tag: 

V(k, m, tag) = 'yes 


Def: MAC I = {S,V) defined over (K,M,T) is a pair of aigs: 
— S(k,m) outputs t in T 
— V(k,m,t) outputs 'yes’ or 'no’ 











Integrity requires a secret key 


Alice 


message m 

tag 


-► 



Generate tag: 
tag <- CRC(m) 


Verify tag: 

V(m, tag) = 'yes’ 


Attacker can easily modify message m and re-compute CRC. 


CRC designed to detect random, not malicious errors. 












Secure MACs 


Attacker's power: chosen message attack 

• for attacker is given t| S(k,m|) 

Attacker’s goal: existential forgery 

• produce some new valid message/tag pair (m,t). 

(m,t) ^ {(mi,ti),..., (mq,tq)} 


^ attacker cannot produce a valid tag for a new message 
^ given (m,t) attacker cannot even produce {m,t') for t' ^ t 
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Secure MACs 

• For a MAC l=(S,V) and adv. A define a MAC game as: 




m^EM m 2 , 

^ ^ - 




Chal. 

k^K 

Adv. 


t^ S(k,mi) t2 ,..., tq 

-^--► 

. (nLt) 


B- 




b=l if V(k,m,t) = 'yes’ and (m,t) ^ {(mi,ti),..., (mq,tq)} 
b=0 otherwise 


Def: l=(S,V) is a secure MAC if for all “efficient” A: 

Adv^AcI^/l] = Pr[Chal. outputs 1] is “negligible.” 
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Let I = (S,V) be a MAC. 

Suppose an attacker is able to find mg * irii such that 
S(k, mg) = S{k, m^) for 34 of the keys k in K 

Can this MAC be secure? 

O Yes, the attacker cannot generate a valid tag for nrig or m 

^ O No, this MAC can be broken using a chosen msg attack 
O It depends on the details of the MAC 



Let I = (S,V) be a MAC. 

Suppose S(k,m) is always 5 bits long 

Can this MAC be secure? 

O No, an attacker can simply guess the tag for messages 
O It depends on the details of the MAC 

O Yes, the attacker cannot generate a valid tag for any message 


Example: protecting system files 


Suppose at install time the system computes: 



filename 






[m _ 



k derived from 
user's password 


t„ = S(k,F„) 


Later a virus infects system and modifies system files 


User reboots into clean OS and supplies his password 

- Then: secure MAC ^ all modified files will be detected 
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Message Integrity 


MACS based on PRFs 






Review: Secure MACs 

MAC: signing alg. S(k,nn)—>t and verification alg. V(k,m,t) 

Attacker's power: chosen message attack 

• for attacker is given t| S(k,m|) 

Attacker’s goal: existential forgery 

• produce some new valid message/tag pair (m,t). 

(m,t) ^ {(mi,ti),..., (mq,tq)} 


0,1 


attacker cannot produce a valid tag for a new message 
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Secure PRF 


Secure MAC 


For a PRF F: K x X ^ Y define a MAC Ip = (S,V) as: 

- S(k,m) := F(k,m) 

- V(k,m,t): output 'yes’ if t = F(k,m) and 'no’ otherwise. 


Alice 


message m 


tag 


tag <- F(k,m) 


Bob 


accept msg if 

tag = F(k,m) 
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A bad example 


Suppose F: K X X —>Y is a secure PRF with Y = {0,1}^° 

Is the derived MAC Ip a secure MAC system? 

O Yes, the MAC is secure because the PRF is secure 
O No tags are too short: anyone can guess the tag for any msg 
O It depends on the function F 


Security 

Thm : If F: KxX—>Y is a secure PRF and 1/|Y| is negligible 
(i.e. |Y| is large) then Ip is a secure MAC. 

In particular, for every eff. MAC adversary A attacking I 
there exists an eff. PRF adversary B attacking F s.t.: 

AdvMAc[A, Ip] ^ AdVpRF[B,F] + 1/|Y| 


Ip is secure as long as |Y| is large, say |Y|=2®°. 



Proof Sketch 

Suppose f: X —> Y is a truly random function 
Then MAC adversary A must win the following game: 



A wins if t = f(m) and m ^ , m. } 

=> Pr[A wins] = 1/|Y| same must hold for F(k,x) 
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Examples 

AES: a MAC for 16-byte messages. 

Main question: how to convert Small-MAC into a Big-MAC 

Two main constructions used in practice: 

- CBC-MAC (banking-ANSIX9.9, X9.19, FIPS 186-3) 

— HMAC (Internet protocols: SSL, IPsec, SSH,...) 


Both convert a small-PRF into a big-PRF. 



Truncating MACs based on PRFs 

Easy lemma: suppose F: K x X —> {0,1}" is a secure PRF. 

Then so is Ft(k,m) = F(k,m)[l...t] for all l<t<n 

I-— / 

Th-S'f 

o-f ot/ipu't 

^ if (S,V) is a MAC is based on a secure PRF outputting n-bit tags 


the truncated MAC outputting w bits is secure 
... as long as 1/2'" is still negligible (say w&64) 
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Message Integrity 


CBC-MAC and NMAC 






MACS and PRFs 


Recall: secure PRF F ^ secure MAC, as long as |Y| is large 

S(k, m) = F{k, m) 


Our goal: 

given a PRF for short messages (AES) 
construct a PRF for long messages 

From here on let X = {0,1}" (e.g. n=128) 
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Construction 1: encrypted CBC-MAC 

raw CBC 
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Construction 2: NMAC (nested mao 

cascade 
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Why the last encryption step in ECBC-MAC and NMAC? 


NMAC: suppose we define a MAC 1= (S,V) where 

S(k,m) = cascade(k, m) 


O This MAC is secure 

O This MAC can be forged without any chosen msg queries 

O This MAC can be forged with one chosen msg query 

O This MAC can be forged, but only with two msg queries 

casca/f [w 


Why the last encryption step in ECBC-MAC? 

Suppose we define a MAC Iraw=(S'V) where 

S(k,m) = rawCBC(k,m) 

Then is easily broken using a 1-chosen msg attack. 

Adversary works as follows: 

- Choose an arbitrary one-block message mEX 

- Request tag for m. Get t = F(k,m) 

- Output t as MAC forgery for the 2-block message (m, t@m) 

Indeed: rawCBC(k, (m, t@m)) = F(k, F(k,m)@(t©m)) = F(k, t©(t@m)) = t 
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ECBC-MAC and NMAC analysis 


Theorem : For any L>0, 

For every eff. q-query PRF adv. A attacking F^j-gj-or 
there exists an eff. adversary B s.t.: 

AdVpRF[A, Fg(-g(-] £ AdVpRp[B, F] + 2 q^/ |X| 

AdVpRF[A, FfjiyiAc] ^ qLAdVpRF[B,F] + qV2|K| 

CBC-MAC is secure as long as q« 

NMAC is secure as long as q « |K|^/^ (2®^ for AES-128) 
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An example 


/-\ 

AdVpRF[A, FF(;;g(^] ^ AdVpRp[B, F] + 2c|^/ |X| 

\___ J 

q = # messages MAC-ed with k 

Suppose we want AdVpRp[A, F^cbc] - 1/2^^ q^/|X|<l/ 

• AES: |X|=2i28 => q<248 

So, after 2^® messages must, must change key 

q 


3DES: |X|=264 


<216 



The security bounds are tight: an attack 

After signing | X | messages with ECBC-MAC or 

messages with NMAC 
the MACS become insecure 

Suppose the underlying PRF F isaPRP (e.g. AES) 

• Then both PRFs (ecbc and nmac) have the following 
extension property: 

Vx,y,w: FB|( 5 (k, x) = FB|( 3 (k, y) => xllw) = yllw) 
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The security bounds are tight: an attack 

Let Fgig: K x X —> Y be a PRF that has the extension property 

~ y) ^ ^big(^' xIIw) = Fg|Q(k, yllw) 

Generic attack on the derived MAC: 

step 1: issue |Y|^/^ message queries for rand, messages in X. 

obtain (m|, t,) for i = 1|Y|^/^ 
step 2: find a collision t^ = t^ for U^^V (one exists w.h.p by b-day paradox) 
step 3: choose some w and query for t := Fgigik, m Jlw) 
step 4: output forgery (mjlw, t). Indeed t := Fg|( 5 (k, mjlw) 
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Better security: a rand, construction 



Let F: K X X —» X be a PRF. Result: MAC with tags in X^. 


Security: Adv^^Ac[A, IrcbcI ^ AdVpRp[B, F] ■ (1 + 2 qV |X| ) 


For 3DES: can sign q=2^^ msgs with one key 
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Comparison 

ECBC-MAC is commonly used as an AES-based MAC 

• CCM encryption mode (used in 802.Hi) 

• NIST standard called CMAC 

NMAC not usually used with AES or 3DES 

• Main reason: need to change AES key on every block 

requires re-computing AES key expansion 

• But NMAC is the basis for a popular MAC called HMAC (next) 


Dan Boneh 
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Message Integrity 


MAC padding 






Recall: ECBC-MAC 






































What if msg. len. is not multiple of block-size? 
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CBC MAC padding 

Bad idea: pad m with O’s 


m[0] 

m[l] 

— , 

m[0] 

m[l] 

0000 


Is the resulting MAC secure? 

O Yes, the MAC is secure 
O It depends on the underlying MAC 

No, given tag on msg m attacker obtains tag on mllO 

O 


Problem: pad(m) = pad{mllO) 









CBC MAC padding 

For security, padding must be invertible ! 

mo^m^ ^ pad(mo) ^ pad(mi) 


ISO : pad with 1000...00 . Add new dummy block if needed. 

- The “l” indicates beginning of pad. 


m[0] 

m[l] 




m'[0] 

m'[l] 


m[0] 


m[l] 


100 


m'[0] 


m'[l] 


1000...000 
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CM AC (NIST standard) , , , . 

Variant of CBC-MAC where key = (k, k^, k 2 ) ^’^***' 

• No final encryption step (extension attack thwarted by last keyed xor) 

• No dummy block (ambiguity resolved by use of k^ or k 2 ) 
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Message Integrity 


PMAC and 

Carter-Wegman MAC 






• ECBC and NMAC are sequential. 

• Can we build a parallel MAC from a small PRF ?? 
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Construction 3: PMAC 

P(k, i): an easy to compute function 


key = (k, k^) 


Padding similar 
to CMAC 


P(k,0) 



Let F:KxX^X be a PRF 

Define new PRF Fpi^iAC: x X-*- ^ X 


parallel MAC 


m[2] 


m[3] 


P(k,2)—^ P(k,3)^0 



HK-) 
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PMAC: Analysis 

PMAC Theorem : ForanyL>0, 

If F is a secure PRF over (K,X,X) then 
FpMAc is a secure PRF over (K, X^^ X). 

For every eff. q-query PRF adv. A attacking Fpj^i^c 
there exists an eff. PRF adversary B s.t.: 

AdVpRF[A, FpiyiAc] ^ AdVpRF[B,F] + 2qHV |X| 


PMAC is secure as long as qL « |X|i/2 
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PMAC is incremental 


Suppose F is a PRP. 

When nn[l] —> m'[l] 
can we quickly update tag? 







jnllL 


m[3] 


m[4] 



O no, it can't be done 
O do F-^(ki,tag) © F(ki, m'[l] © P(k,l)) 

O do F-i(ki,tag) © F(ki, m[l] © P(k,l)) © F(ki, m'[l] © P(k,l)) 
O do tag © F(kj^, nri[l] © P{k,l)) © F(kj^, m'[l] © P{k,l)) 

Then apply F(k;^, ) 














One time MAC (analog of one time pad) 


• For a MAC l=(S,V) and adv. A define a MAC game as: 




m^ ^ M 




Chal. 

k^K 

Adv. 


t^ S(k,mi) 

.(nLt) 


B- 




b=l if V(k,m,t) = 'yes’ and (m,t) (mi,ti) 
b=0 otherwise 


Def: l=(S,V) is a secure MAC if for all “efficient” A: 

Adv^LMAcI^'*] “ Pr[Chal. outputs 1] is “negligible.” 
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One-time MAC: an example 

Can be secure against all adversaries and faster than PRF-based MACs 

Let q be a large prime (e.g. q = 2^^®+51) 

key = (a, b) ^ {l,...,q}^ (two random ints. in [l,q]) 
msg = ( m[l],m[L]) where each block is 128 bit int. 

S( key, msg) = Pn,sg(a) + b (mod q) 

where Pmsg(x) = + m[L]-x'- + ... + m[l]-x is a poly, of deg L+1 

We show: given S( key, msg^ ) adv. has no info about S( key, msg 2 ) 


Dan Boneh 


One-time security (unconditional) 

Thm : the one-time MAC on the previous slide satisfies (L=msg-len) 

V mi?im2,ti,t2: Prg b[s((a,b), mi) = ti I S( (a,b), m 2 ) = t 2 ] < L/q 
Proof: V mi?‘m 2 , t^, t 2 : 

( 1 ) P ''3 b[ S( (a,b), m2) = 12] = Pra,b[Pm2(a)+*»=t2] = l/q 

( 2 ) Ptabl S( (a,b), mj = and S( (a,b), m2) = t2] = 

Pra,b[ Pmi(a)-Pm2(a)=Vt2 and P^^(a)+b=t2] < L/q^ I 

=> given valid (m 2 ,t 2 ), adv. outputs (mi,ti) and is right with prob. < L/q 
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One-time MAC ^ Many-time MAC 

Let (S,V) be a secure one-time MAC over (K|,M, {0,1}") • 

Let F: Kp x {0,1}" —»{0,1}" be a secure PRF. 

slow but fast 
short inp long inp 

Carter-Wegman MAC: CW( (ki,k 2 ), m) = (r, F(ki,r) 0 S(k 2 ,m) ) 
for random r <— {0,1}". 


Thm : If (S,V) is a secure one-time MAC and F a secure PRF 
then CW is a secure MAC outputting tags in {0,1}^". 
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CW( {ki,k2), m) = (r, F(ki,r) © S(k2,m)) 


How would you verify a CW tag (r,t) on message m ? 

Recall that V(k2,m,.) is the verification alg. for the one time MAC. 

O Run V( k2, m, t) ©r)) 

O Run V( k2, m, r) 

O Run V( k2, m, t) 

O Run V( k2, m, F(k2, r) © t)) 



Construction 4: HMAC (Hash-MAC) 


Most widely used MAC on the Internet. 


... but, we first we need to discuss hash function. 
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Further reading 


J. Black, P. Rogaway: CBC MACs for Arbitrary-Length Messages: The Three- 
Key Constructions. J. Cryptology 18(2): 111-131 (2005) 

K. Pietrzak: ATight Bound for EMAC. ICALP (2) 2006: 168-179 

J. Black, P. Rogaway: A Block-Cipher Mode of Operation for Parallelizable 
Message Authentication. EUROCRYPT 2002: 384-397 

M. Bellare: New Proofs for NMAC and HMAC: Security Without Collision- 
Resistance. CRYPTO 2006: 602-619 

Y. Dodis, K. Pietrzak, P. Puniya: A New Mode of Operation for Block 
Ciphers and Length-Preserving MACs. EUROCRYPT 2008:198-219 
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Collision resistance 


Introduction 






Recap: message integrity 


So far, four MAC constructions: 

ECBC-MAC, CMAC : commonly used with AES (e.g. 802.iii) 
PRFs nmAC : basis of HMAC (this segment) 

PMAC: a parallel MAC 


randomized 

MAC 


Carter-Wegman MAC: built from a fast one-time MAC 


This module: MACs from collision resistance. 
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Collision Resistance 


Let H: M->T be a hash function ( |M|»|T| ) 

A collision for H is a pair mg, £ M such that: 

H(mo) = H(mi) and 

A function H is collision resistant if for all (explicit) “eff” aigs. A: 

AdV(-,,[A,H] = Pr[ A outputs collision for H] 

IS neg . 

Example: SHA -256 (outputs 256 bits) 
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MACS from Collision Resistance 

Let I = (S,V) be a MAC for short messages over (K,M,T) (e.g. AES) 

Let H: ^ M 

Def: = (S'^'g, V'ig) over (K, M^ig, T) as: 

S‘>*8(k,m) = S(k,H(m)) ; V'’*s(k,m,t) = V(k,H(m),t) 

Thm : If I is a secure MAC and H is collision resistant 
then I'^'s is a secure MAC. 

Example: S(k,m) = AESj.biock-cbcil^' SHA-256(m)) is a secure MAC. 
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MACS from Collision Resistance 

S‘»«(k, m) = S(k, H(m)) ; V^'^Ck, m, t) = V(k, H(m), t) 

Collision resistance is necessary for security: 

Suppose adversary can find mo^mi s.t. H(mo) = H(mi). 

Then: S'’’® is insecure under a 1-chosen msg attack 

step 1: adversary asks for t <—S(k, roo) 
step 2: output , t) as forgery 
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Protecting file integrity using C.R. hash 


Software packages: 


package name package name 




read-only 
public space 

H(F.) 

H(FJ 


When user downloads package, can verify that contents are valid 
H collision resistant ^ 

attacker cannot modify package without detection 


no key needed (public verifiability), but requires read-only space 
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Collision resistance 


Generic birthday attack 






Generic attack on C.R. functions 


Let H: M {0,1}" be a hash function ( | M | » 2" ) 

Generic alg. to find a collision in time 0(2"/^) hashes 
Algorithm: 

1. Choose 2"/^ random messages in M: m^,mj^A (distinct w.h.p) 

2. For i = 1,2"/^ compute t| = H(m|) ^{0,1}" 

3. Look for a collision {t| = tj). If not found, got back to step 1. 

How well will this work? 
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The birthday paradox 

Let r^,s be indep. identically distributed integers. 

Thm : when n= 1.2 x then Pr[ 3 i^^j: rj = rj ] > 34 

Proof: (for uniform indep. r^,..., r^,) 








i 




l-e 


, -y 
l-y « c 


- 0 . 72 - 

1-e 


a.5 


« 0,72 


r 
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# samples n 
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Generic attack 

H: M ^ {0,1}" • Collision finding algorithm: 

1. Choose 2"/^ random elements in M: m^,m 2 f '/2 

2. Fori = l,2"/^ compute t| = H(m|) e{0,l}" 

3. Look for a collision (t| = tj). If not found, got back to step 1. 

Expected number of iteration = 2 
Running time: 0(2"/^) (space 0(2"/^)) 
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NIST standards 


Sample C.R. hash functions: 


Crypto++ 5.6.0 [ Wei Dai ] 


AMD Opteron, 2.2 GHz (Linux) 


function 

digest 
size (bits) 

Speed (MB/sec) 

generic 
attack time 

SHA-1 

160 

153 

280 

SHA-256 

256 

111 

2128 

SHA-512 

512 

99 

2256 

Whirlpool 

512 

57 

2256 


* best known collision finder for SHA-1 requires 2^^ hash evaluations 
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Quantum Collision Finder 



Classical 

algorithms 

Quantum 

algorithms 

Block cipher 

E: KxX^X 

exhaustive search 

0( |K|) 

0(|K|W) 

Hash function 

H: M 

collision finder 

0( |T|i/2) 

0( |T|W) 
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Collision resistance 


The Merkle-Damgard 
Paradigm 






Collision resistance: review 


Let H: M ->T be a hash function ( | M | » |T| ) 

A collision for H is a pair mg, G M such that: 

H(mg) = H(mi) and mg ^ 

Goal: collision resistant (C.R.) hash functions 

Step 1: given C.R. function for short messages, 
construct C.R. function for long messages 
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The Merkle-Damgard iterated construction 



Given h: T x X 


(compression function) 


we obtain 

PB: padding block 


H| - chaining variables 


1000...0 II msg len 


64 bits 


If no space for PB 
add another block 
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MD collision resistance 


Thm : if h is collision resistant then so is H. 
Proof: collision on H ^ collision on h 


Suppose H(M) = H(M'). We build collision for h. 

ijf /Ai-A'; 

pe^PS' 


on 

iTof 


IV 

= Ho , 

Hi 

U 

, ... , / 

Ht.i 

= H(M) 1 

IV 

= Ho' , 

Hi' 

H' 

/ ... ; ri 

H'r.l 

= H(M') 1 


h{ H^, Mj II PB) = = h(H;, M', II PB') 








CHUfr 

Suppose Ht = H\ and Mt = M'r and PB = PB' 




Then: |h( H^.^, I\^= = H\ )/ 


Tr 




Ke Itai^ tt ColL'ite^ oh 1). C~raf 


ni-tt-tcL*. <tli lf>»y ifi i><>jftWtVi4 4ik^ ^i'(:k€r' ‘ 

■illFsc-p^ U 


J Cl) -tTtf/ ^0 1 

Vc '' M,. ^ At'. 


Z^EJ 


CAkk^'i ^AOP^A 


/^rr/W 


£fOpAA 


hkCstt<ia /^Ay' 
dLir^ Co//ci(’^^i 
//. 
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To construct C.R. function, 


suffices to construct compression function 
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Collision resistance 


Constructing Compression 
Functions 






The Merkle-Damgard iterated construction 



Thm: h collision resistant ^ H collision resistant 
Goal: construct compression function h:TxX—>T 
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Compr. func. from a block cipher 

E: Kx {0,1}" —^ {0,1}" a block cipher. 

The Davies-Meyer compression function: h(H, m) = E(m, H)0H 


7 


1-^ 

LU 

A 

—0—^ 

Hi 

- ^ 


j 


Thm : Suppose E is an ideal cipher (collection of | K| random perms.). 
Finding a collision h(H,m)=h(H',m') takes 0(2"^^) evaluations of (E,D). 


Best possible !! 
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Suppose we define h(H, m) = E(m, H) 


Then the resulting h(.,.) is not collision resistant: 

to build a collision (H,m) and (H',m') 

choose random (H,m,m') and construct H' as follows: 

O H'=D(m', E(m,H)) ^ ^ 

O H'=E(m', D(m,H)) 

O H'=E(m', E{m,H)) 

O H'=D(m', D(m,H)) 



other block cipher constructions 

Let E: {0,1}" X {0,1}"—^{0,1}" for simplicity 

Miyaguchi-Preneel: h(H, m) = E(m, H)0H0m (Whirlpool) 

h(H, m) = E(H0m, m)0m 

total of 12 variants like this 

Other natural variants are insecure: 


h(H, m) = E(m, H)0m (HW) 
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Case study: SHA-256 

Merkle-Damgard function 
Davies-Meyer compression function 
Block cipher: SHACAL-2 












Provable compression functions 

Choose a random 2000-bit prime p and random 1 < u, v < p . 
For m,h s {0,...,p-l} define h(H,m) = ■ v"* (mod p) 

Fact: finding collision for h(.,.) is as hard as 
solving "discrete-log" modulo p. 

Problem: slow. 
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Collision resistance 


HMAC; 

a MAC from SHA-256 






The Merkle-Damgard iterated construction 



Thm: h collision resistant ^ H collision resistant 
Can we use H(.) to directly build a MAC? 
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MAC from a Merkle-Damgard Hash Function 


H: X-*- —» T a C.R. Merkle-Damgard Hash Function 

Attempt #1 : S(k, m) = H( k II m) 

This MAC is insecure because: 

O Given H( k II m) can compute H( w II k ll m I 
O Given H(kllm) can compute H(kllmllw] 
Given H{ k II m) can compute H(kllmllPB 

O Anyone can compute H(kllm) for any m. 


PB) for any w. 
for any w. 

II w) for any w. 



Standardized method: HMAC (Hash-MAC) 


Most widely used MAC on the Internet. 


H: hash function. 

example: SHA-256 ; output is 256 bits 


Building a MAC out of a hash function: 


HMAC: S( k, m ) = h( k@opad II H( k0ipad II m ) ) 
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HMAC in pictures 


k0ipad 

m[0] 

m[1] 

m[2] II PB 


IV 









(fixed) 


h 


» h 


» h 


-> 

■> 


> h 


(fixed) 


k0opad 





—> 


—> 

IV 

—> 

h ^ 



> h 




Similar to theNMACPRF. 

main difference: the two keys k^, k 2 are dependent 


tag 
- > 
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HMAC properties 

Built from a black-box implementation of SHA-256. 

HMAC is assumed to be a secure PRF 

• Can be proven under certain PRF assumptions about h(.,.) 

• Security bounds similar to NMAC 

— Need qV|T| to be negligible (q«|T|''^0 

In TLS: must support HMAC-SHAl-96 
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Collision resistance 


Timing attacks on MAC 
verification 






Warning: verification tinning attacks [log] 


Example: Keyczar crypto library (Python) [simplified] 

def Verify(key, msg, sig_bytes): 

return HMAC(key, msg) == sig_bytes 

The problem: '==' implemented as a byte-by-byte comparison 
• Comparator returns false when first inequality found 
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Warning: verification timing attacks 


target 
msg m 


m, tag 

accept or reject 



[L'09] 



Timing attack: to compute tag for target message m do: 

Step 1: Query server with random tag 

Step 2: Loop over all possible first bytes and query server. 

stop when verification takes a little longer than in step 1 
Step 3: repeat for all tag bytes until valid tag found 


3 

ca 

In 


y 
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Defense #1 


Make string comparator always take same time (Python) 

return false if sig_bytes has wrong length 
result = 0 

for X, y in zip( HMAC(key,msg), sig_bytes): 

result I = ord(x) ^ ord(y) 
return result == 0 

Can be difficult to ensure due to optimizing compiler. 


Defense #2 

Make string comparator always take same time (Python): 

def Verify(key, msg, sig_bytes): 
mac = HMAC(key, msg) 

return HMAC(key, mac) == HMAC(key, sig_bytes) 

Attacker doesn't know values being compared 
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Lesson 


Don't implement crypto yourself ! 
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Authenticated Encryption 

Active attacks on 
CPA-secure encryption 






Recap: the story so far 


Confidentiality; semantic security against a CPA attack 

• Encryption secure against eavesdropping only 

Integrity; 

• Existential unforgeability under a chosen message attack 

• CBC-MAC, HMAC, PMAC, CW-MAC 



This module; encryption secure against tampering 
• Ensuring both confidentiality and integrity 
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Sample tampering attacks 


TCP/IP: (highly abstracted) 



packet 


dest = 80 data 


source machine 


WWW 
port = 80 



destination machine 
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Sample tampering attacks 


IPsec: (highly abstracted) 



packet 





“T * I I I I I I I I I I ■ ■ I ■ I ■ I ■ I ■ I ■ I I i -| 

destw25H 5 stuffy 


'I'l'iTTT I ■ I ■ I 1 rn^ 


n T T T I ■ I ■ I I 



Bob 

port = 25 


packets encrypted 
using key k 
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Reading someone else's data 


Note: attacker obtains decryption of any ciphertext 
beginning with ''dest=25" 




^esttSSOggdata 


I. I. I. 


',ax 


XXX 


Bob: 





Bob 

port = 25 


Easy to do for CBC with rand. IV 
(only IV is changed) 
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IV, 


IV', 


^^dest['±'^80§ 


■ I ■ I ■ I ■ I . LJ . 1^1 ■ I ■ I . I ■ I ■ OI. I I . I I I I I 

^dest!^l25SSdata:^ 

I i ' I T 1 I 


ata;^ 

r I I i I ' I 


Encryption is done with CBC with a random IV. 

What should IV' be? i^[0] ■ c[0]) 0 IV - dest-80. 

O IV' = IV 0 (...25...) 

O IV'= IV 0 (...80...) 

O IV' = IV 0 (...80...) 0 (...25...) 

O It can't be done ^ O^K 


• •* 








An attack using only network access 

Remote terminal app.: each keystroke encrypted with CTR mode 


Xr^D/lD 



ACK if valid checksum, nothing otherwise 


{ checksum(hdr, D) = t 0 checksum(hdr, D0s) } => can find D 
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The lesson 

CPA security cannot guarantee secrecy under active attacks. 

Only use one of two modes: 

• If message needs integrity but no confidentiality: 

use a MAC 

• If message needs both integrity and confidentiality: 

use authenticated encryption modes (this module) 
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Authenticated Encryption 


Definitions 


09 






Goals 


An authenticated encryption system (E,D) is a cipher where 
As usual: E: KxMxN—»C 
but D: KxCxN^ M U{±} 


Security: the system must provide 

_ ciphertext 

is rejected 

• sem. security under a CPA attack, and 



• ciphertext integrity: 

attacker cannot create new ciphertexts that decrypt properly 
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Ciphertext integrity 


Let (E,D) be a cipher with message space M. 




nfi^EM nn2 , 

^ ^ - 




Chal. 

k^K 

Adv. 


<— E(k,nni) C 2 , 

-^^ 

,-C- 


B- 




b=l if D(k,c)?sX and c ^ {Cj,... , 0 ^} 
b=0 otherwise 


Def: (E,D) has ciphertext integrity if for all “efficient” A: 

AclV(-|[A,E] = Pr[Chal. outputs 1] is “negligible.” 
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Authenticated encryption 

Def: cipher (E,D) provides authenticated encryption (AE) if it 

(1) semantically secure under CPA, and 

(2) has ciphertext integrity 


Bad example: CBC with rand. IV does not provide AE 
• D(k, •) never outputs -L, hence adv. easily wins Cl game 



Implication 1: authenticity 

Attacker cannot fool Bob into thinking a 
message was sent from Alice 


Alice 


k 




nil, "v niq 


Ci= E(k, m;) 




Cannot create 
valid c ^ {Cl,Cq} 



=> if D(k,c) ± Bob knows message is from someone who knows k 

(but message could be a replay) 
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Implication 2 


Authenticated encryption ^ 

Security against chosen ciphertext attacks 

(next segment) 
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Authenticated Encryption 


Chosen ciphertext 
attacks 






Example chosen ciphertext attacks 


Adversary has ciphertext c that it wants to decrypt 
• Often, adv. can fool server into decrypting certain ciphertexts (not c) 



• Often, adversary can learn partial information about plaintext 



, I . I . I . I 


-I —I I—I I 


I^L, LpJ . I^L, LjJ ^ ^ 

iJCP/IRipacket 


I. I. I. I. 


r 1 I I—I 




I I : I I I 




if valid 
checksum 
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Chosen ciphertext security 


Adversary's power: both CPA and CCA 

• Can obtain the encryption of arbitrary messages of his choice 

• Can decrypt any ciphertext of his choice, other than challenge 

(conservative modeling of real life) 

Adversary's goal: Break sematic security 
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Chosen ciphertext security: definition 

E = (E,D) cipher defined over (K,M,C). For b=0,l define EXP(b): 


Chal. 

k^K 


for i=l,...,q: 

(1) CPA query: 


= m, 


u 


◄-^^^- 


Ci - E(k, 


(2) CCA query: 


Cj 0 C . Cj ^ 



-► 


rrii ^ D(k, c) 


Adv. 


b' 


0 , 1 } 
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Chosen ciphertext security: definition 

E is CCA secure if for all "efficient" A: 

AdVccA [A,E] = I Pr[EXP(0)=l] - Pr[EXP(l)=l] | is "negligible." 


Example; CBC with rand. IV is not CCA-secure 
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Authenticated enc. ^ CCA security 


Thm : Let (E,D) be a cipher that provides AE. 

Then (E,D) is CCA secure ! 

In particular, for any q-query eff. A there exist eff. B^, B 2 s.t. 
AdVccA[A,E] < 2q AdV(-|[Bi,E] + AdV(-pA[B 2 ,E] 
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Proof by pictures 


Chal. 


k^K 


CPA query: nrijo, nrij ^ 




Ci=E(k,m|o) 


CCA query: C: 

^ ' 





D(l<,Ci) 


Adv. 


Chal. 


k^K 


CPA query: nrijo, nrij ^ 


- 

Ci=E(k,mii) 


CCA query: C| 



D(k,Ci) 



Adv. 


P 


Chal. 


k^K 


CPA query: nrijo, nrij ^ 




Ci=E(k,m|o) 


CCA query: q 





± 


Adv. 


Chal. 


k^K 


CPA query: nrijo, nrij ^ 

< - ^^ 


Ci=E(k,mii) 

CCA query: C, 


Adv. 
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So what? 


Authenticated encryption: 

• ensures confidentiality against an active adversary 
that can decrypt some ciphertexts 

Limitations: 

• does not prevent replay attacks 

• does not account for side channels (timing) 
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Authenticated Encryption 


Constructions from 
ciphers and MACs 






... but first, some history 

Authenticated Encryption (AE): introduced in 2000 [ky’oo, bn'oo] 


Crypto APIs before then: (e.g. MS-CAPI) AFF 

• Provide API for CPA-secure encryption (e.g. CBC with rand. IV) 

• Provide API for MAC (e.g. HMAC) 

Every project had to combine the two itself without 
a well defined goal 

• Not all combinations provide AE ... 
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Combining MAC and ENC (CCA) 

Encryption key k^. MAC key = kj 


Option 1 : (SSL) 


S(kp m) 


E(k^, mlltag) 


msg m 



msg m 

taq 



I 1 I 1 I 1 1,1,1,1,1 

I .171 .1.1 ■1.1:11^171:1 Mil 


Option 2 : 

always 

correct 


(IPsec) 


Eikg, m) 


S(ki, c) 



K. 


K. 

T^r'^r r * i ‘ t * 1 ' r M ^ 

I 1 1 t 1 1 1 t — f--t I I T~~T 

taq 

msg m 






OEiimi: (SSH) E(k,,m) S(ki, m) 


msg m 

1 —s 

x.xa^ . . . . . . . . . . 

1 —\ 

II 1 ,1,1,1,1 1 h 1 1 h I HtM 

I I 1 11 1 1 1 IT 1 |—1 T 


'—/ 

LI , Lpl , Lpl , Lpl , Lpl 1 * 1 I 

T7I .771 ■ 1 ■ 1 ■ 1 ■ m ■ 1 ■ 1 ■ LL 

'—/ 


taq 
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A.E. Theorems 

Let (E,D) be CPA secure cipher and (S,V) secure MAC. Then 

1. Encrypt-then-MAC: always provides A.E. 

2. MAC-then-encrypt: may be insecure against CCA attacks 

however: when (E,D) is rand-CTR mode or rand-CBC 

M-then-E provides A.E. 

for rand-CTR mode, one-time MAC is sufficient 



Standards (at a high level) 

• GCM: CTR mode encryption then CW-MAC 

(accelerated via Intel's PCLMULQDQ instruction) 

• CCM: CBC-MAC then CTR mode encryption ( 802 .iii) 

• EAX: CTR mode encryption then CMAC 


All support AEAD: (auth. enc. with associated data). All are nonce-based. 

encrypted 


associated data 


^ ■ ■ 

I. I. I. I . I 


I ■ I ■ I ■ I ■ I 


encrypitpd'ri^t;^ 


authenticated 
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An example API (OpenSSL) 

int AES_GCM_lnit{AES_GCM_CTX *ain, 

unsigned char *nonce, unsigned long noncelen, 
unsigned char *key, unsigned int klen ) 

int AES_GCM_EncryptUpdate(AES_GCM_CTX *a, 

unsigned char *aad, unsigned long aadlen, 
unsigned char *data, unsigned long datalen, 
unsigned char *OUt, unsigned long *outlen) 
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MAC Security -- an explanation 

Recall: MAC security implies (m , t) ^ (m , t') 

Why? Suppose not: (m, t) —» (m, t') 

Then Encrypt-then-MAC would not have Ciphertext Integrity II 
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OCB: a direct construction from a PRP 

More efficient authenticated encryption: one E() op. per block. 
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Performance: 

AMD Opteron, 2.2 GHz (Linux) 


Crypto++ 5.6.0 [ Wei Dai ] 


Cipher 

code 

size 

Speed 

(MB/sec) 



’ AES/GCM 

large 

108 

AES/CTR 

139 

AES/CCM 

smaller 

61 

AES/CBC 

109 

. AES/EAX 

smaller 

61 

AES/CMAC 

109 

AES/OCB 


129* 

HMAC/SHAl 

147 


* extrapolated from Ted Kravitz's results 


** non-Intel machines 
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Authenticated Encryption 


Case study: TLS 






TheTLS Record Protocol {tlsi. 2 ) 



Unidirectional keys: and k 5_^|3 



Stateful encryption: 

• Each side maintains two 64-bit counters: ctr[j _^5 , ctr 5 _^[j 

• Init. to 0 when session started. ctr++for every record. 

• Purpose: replay defense 





TLS record: encryption (CBC AES-128, HMAC-SHAl) 


k ” f k k ^ 

^b-f>s '^mac ' ^enc' 

type II ver II len 


data 



tag 

pad 


Browser side encCkb^^, data, 

step 1: tag <— s(k^ 3 j,, [ +-i-ctr| 3_^5 II header II data] ) 

step 2: pad [ header II data II tag ] to AES block size 

step 3: CBC encrypt with kg^^^and new random IV 
step 4: prepend header 
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TLS record: decryption (CBC AES-128, HMAC-SHAl) 

Server side dec(kb_,s / record, ctr|j_^5): 


step 1: 

step 2: 

CBC decrypt record using kg^c 

check pad format: send bad_record_mac if invalid 

step 3: 

check tag on [++ctr [,_„5 II header II data] 
send bad record mac if invalid 


Provides authenticated encryption 

(provided no other info, is leaked during decryption) 
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Bugs in older versions (prior to tls i.i) 


IV for CBC is predictable: (chained IV) 

IV for next record is last ciphertext block of current record. 

Not CPA secure, (a practical exploit: BEAST attack) 

Padding oracle: during decryption 

if pad is invalid send decryption failed alert 
if mac is invalid send bad_record_mac alert 
^ attacker learns info, about plaintext (attack in next segment) 

Lesson: when decryption fails, do not explain why 

Dan Boneh 


Leaking the length 

The TLS header leaks the length of TLS records 

• Lengths can also be inferred by observing network traffic 

For many web applications, leaking lengths reveals sensitive info: 

• In tax preparation sites, lengths indicate the type of return being 
filed which leaks information about the user's income 

• In healthcare sites, lengths leaks what page the user is viewing 

• In Google maps, lengths leaks the location being requested 

No easy solution 
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802.11b WEP: how not to do it 


802.11b WEP: 





Previously discussed problems: 

two time pad and related PRG seeds 
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Active attacks 

Fact: CRC is linear, i.e. Vm,p: CRC( m 0 p) = CRC(m) 0 F(p) 


WEP ciphertext: 
attacker: 

XX = 25080 

Upon decryption: 



dest-port = 80 data 

1 CRC 

000.00.XX...0000... 

1 F(XX) 



IV I dest-port = 25 data I CRC' 


CRC is valid, but ciphertext is changed !! 
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Authenticated Encryption 


CBC paddings attacks 






Recap 


Authenticated encryption; CPA security + ciphertext integrity 

• Confidentiality in presence of active adversary 

• Prevents chosen-ciphertext attacks 

Limitation: cannot help bad implementations ... (this segment) 

Authenticated encryption modes: 

• Standards: GCM, CCM, EAX 

• General construction: encrypt-then-MAC 
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Decryption: 
step 1: 
step 2: 

step 3: 



record protocol (CBC encryption) 


dec(kb_s, record, ): 

CBC decrypt record using 
check pad format: abort if invalid 

check tag on [++ctr[j _^5 II header II data] 
abort if invalid 


Decryption: 
step 1: 
step 2: 

step 3: 


Two types of error: 

* padding error 

• MAC error 
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Padding oracle 

Suppose attacker can differentiate the two errors 

(pad error, MAC error): 


=> Padding oracle: 

attacker submits ciphertext and learns if 
last bytes of plaintext are a valid pad 


type II ver II len 


data 


pad 


Nice example of a 

chosen ciphertext attack 


tag 
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Padding oracle via timing OpenSSL 

fut/ 


P'1/ 


800 


700 


600 


500 - 


400 


300 


200 


100 





b/r/ 


I r 


decry ption_taied 


-1. 


bad_mic_tfrof — 


_L. 


Credit: Brice Canvel 


(fixed in OpenSSL 0.9.7a) 


In older TLS 1.0: padding oracle due to different alert messages. 
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Using a padding oracle (cbc encryption) 


Attacker has ciphertext c = (c[0], c[l], c[2]) and it wants m[l] 
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Using a padding oracle (cbc encryption) 


step 1: let g be a guess for the last byte of m[l] 



otherwise: invalid pad 
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Using a padding oracle (cbc encryption) 


Attack: submit ( IV, c'[0], c[l] ) to padding oracle 

^ attacker learns if last-byte = g 

Repeat with g = 0,1,..., 255 to learn last byte of m[l] 

Then use a (02, 02) pad to learn the next byte and so on ... 
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IMAP over TLS 

Problem: TLS renegotiates key when an invalid record is received 

Enter IMAP over TLS : (protocol for reading email) 

• Every five minutes client sends login message to server: 

LOGIN "username" "password" 

• Exact same attack works, despite new keys 

^ recovers password in a few hours. 
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Lesson 


1. Encrypt-then-MAC would completely avoid this problem: 
MAC is checked first and ciphertext discarded if invalid 


2. MAC-then-CBC provides A.E., but padding oracle destroys it 
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Will this attack work if TLS used counter mode instead of CBC? 


(i.e. use MAC-then-CTR) 


O Yes, padding oracles affect all encryption schemes 
O It depends on what block cipher is used 
O No, counter mode need not use padding ^==" 

O 
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Authenticated Encryption 


Attacking non-atomic 
decryption 






SSH Binary Packet Protocol 


CBC encryption (chained IV) 



Decryption: over plaintext 

• step 1: decrypt packet length field only (I) 

• step 2: read as many packets as length specifies 

• step 3: decrypt remaining ciphertext blocks 

• step 4: check MAC tag and send error response if invalid 
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An attack on the enc. length field 


(simplified) 


Attacker has one ciphertext block c = AES(k, m) and it wants m 


one AES block 


seq. 

num. 




decrypt 
and obtain 
"len" field 


send bytes one at a time 



attacker learns 32 LSB bits of m !! 


when "len" bytes read: 

server sends "MAC error' 
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Lesson 


The problem: (1) non-atomic decrypt 

(2) len field decrypted and used before it is authenticated 

How would you redesign SSH to resist this attack? 


O Send the length field unencrypted (but MAC-ed) 

O Replace encrypt-and-MAC by encrypt-then-MAC 

O Add a MAC of (seq-num, length) right after the len field 

O Remove the length field and identify packet boundary 
by verifying the MAC after every received byte 



Further reading 

The Order of Encryption and Authentication for Protecting 
Communications, H. Krawczyk, Crypto 2001. 

Authenticated-Encryption with Associated-Data, 

P. Rogaway, Proc. of CCS 2002. 

Password Interception in a SSL/TLS Channel, 

B. Canvel, A. Hiltgen, S. Vaudenay, M. Vuagnoux, Crypto 2003. 

Plaintext Recovery Attacks Against SSH, 

M. Albrecht, K. Paterson and G. Watson, IEEE S&P 2009 

Problem areas for the IP security protocols, 

S. Bellovin, Usenix Security 1996. 
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Odds and ends 


Key Derivation 






Deriving many keys from one 

Typical scenario, a single source key (SK) is sampled from 

• Hardware random number generator 

• A key exchange protocol (discussed later) 

Need many keys to secure session: 

• unidirectional keys; multiple keys for nonce-based CBC. 
Goal: generate many keys from this one source key 





When source key is uniform 

F: a PRF with key space K and outputs in {0,1}" 

Suppose source key SK is uniform in K 
• Define Key Derivation Function (KDF) as: 

KDF( SK, CTX, L) := 

F(SK, (CTX no)) II F(SK, (CTX 111)) II - II F(SK, (CTX II L)) 

v_y 

CTX: a string that uniquely identifies the application 
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! 


KDF( SK, CTX, L) := 

F(SK, (CTX no)) II F(SK, (CTX 111)) II - II F(SK, (CTX II L)) 


What is the purpose of CTX? 

* O Even if two apps sample same SK they get indep. keys 
O It's good practice to label strings with the app. name 
O It serves no purpose 

O 







What if source key is not uniform? 

Recall: PRFs are pseudo random only when key is uniform in K 

• SK not uniform ^ PRF output may not look random 

Source key often not uniformly random: 

• Key exchange protocol: key uniform in some subset of K 

• Hardware RNG: may produce biased output 


Dan Boneh 



Extract-then-Expand paradigm 

Step 1: extract pseudo-random key k from source key SK 



salt: a fixed non-secret string chosen at random 


step 2: expand k by using it as a PRF key as before 
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HKDF: aKDFfromHMAC 


Implements the extract-then-expand paradigm: 
• extract: use k <— HMAC( salt, SK) 


• Then expand using HMAC as a PRF with key k 
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Password-Based KDF (PBKDF) 

Deriving keys from passwords: 

• Do not use HKDF: passwords have insufficient entropy 

• Derived keys will be vulnerable to dictionary attacks 

(more on this later) 

PBKDF defenses: salt and a slow hash function 

Standard approach: PKCS#5 (pbkdfi) 

Hi'>(pwd II salt): iterate hash function c times 
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Odds and ends 


Deterministic Encryption 






The need for det. 



Encryption (no nonce) 


?? 




encrypted 

database 
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The need for det. Encryption (no nonce) 



kj, k2 


Later: 
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Problem: det. enc. cannot be CPA secure 


The problem: attacker can tell when two ciphertexts 

encrypt the same message ^ leaks information 

Leads to significant attacks when message space M is small. 


equal ciphertexts 
means same index 
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Problem: det. enc. cannot be CPA secure 


The problem: attacker can tell when two ciphertexts 

encrypt the same message ^ leaks information 


Attacker wins CPA game: 


b . 

Chal. 

k^K 

nrio^moEM 

- ► 


Cn ^E(k, mj 

_ ^ 


rrin, rrii EM 




c ^ E(k, trib) 

-► 


Adv. 


output 0 

if C = Cn 
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A solution: the case of unique messages 


Suppose encryptor never encrypts same message twice: 
the pair (k, m) neyer repeats 

This happens when encryptor: 

• Chooses messages at random from a large msg space (e.g. keys) 

• Message structure ensures uniqueness (e.g. unique user ID) 
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Deterministic CPA security 

E = (E,D) a cipher defined over (K,M,C). For b=0,l define EXP(b) as: 



where nriio/ •••/ „ are distinct and mu,^ are distinct 

Def: E is sem. sec. under det. CPA if for all efficient A: 

AdVdcpA[A,E] = I Pr[EXP(0)=l]-Pr[EXP(l)=l] | is negligible. 
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A Common Mistake 


CBC with fixed IV is not det. CPA secure. 

Let E: K X {0,1}" —^ {0,1}" be a secure PRP used in CBC 



Qn in Qn jn 


Chal. 

Cj ^ [ FIV, E(k, O-’eFIV) ,...] ^ 

Adv. 

k^K 

, mo=0", rtii = 1" 



c ^ [ FIV, E{k, FIV) ] or 

output 0 


ifc[l] = cjl] 


^ r ci%# nil, 1 


c ^ [ FIV, E{k, l^eFIV) 


Leads to significant attacks in practice. 
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Is counter mode with a fixed IV det. CPA secure? 



O Yes 
O No 

O It depends 

O 
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Odds and ends 


Deterministic Encryption 
Constructions: 

SIVand wide PRP 






Deterministic encryption 

Needed for maintaining an encrypted database index 

• Lookup records by encrypted index 

Deterministic CPA security: 

• Security if never encrypt same message twice using same key: 

the pair {key,msg) is unique 

Formally: we defined deterministic CPA security game 
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Construction 1: Synthetic IV (siv) 


Let (E, D) be a CPA-secure encryption. E(k, m ; r) —> c 
Let F:K X M —> R be a secure PRF 

Define: (ki,k2), m) = 


o^M.pi/i' v~ 


Thm : is sem. sec. under det. CPA . 


Proof sketch: distinct msgs. 


all r's are indist. from random 


Well suited for messages longer than one AES block (16 bytes) 
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Ensuring ciphertext integrity 

Goal: det. CPA security and ciphertext integrity 

^ DAE: deterministic authenticated encryption 

Consider a SIV special case: SIV-CTR 

SIV where cipher is counter mode with rand. IV 
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Det. Auth. Enc. (dae) for free 



Thm : if F is a secure PRF and CTR from F^.^^ is CPA-secure 
then SIV-CTR from F, F^.^^ provides DAE 
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Construction 2: just use a PRP 

Let (E, D) be a secure PRP. E: K x X —» X 

Thm : (E,D) is sem. sec. under det. CPA . 

Proof sketch: let f: X —> X be a truly random invertible func. 

in EXP(O) adv. sees. fCnri^ q), " q random values in X 

in EXP{1) adv. sees: fCm^ j), f(m j) 

Using AES: Det. CPA secure encryption for 16 byte messages. 
Longer messages?? Need PRPs on larger msg spaces ... 
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EME: constructing a wide block PRP 


Let (E, D) be a secure PRP. E: K x {0,1}" —> {0,1}" 


EME: a PRP on {0,1}^^ for N » n 

yi< -mP(^Mc 

2-caj- 

i»e 


Performance: 

• can be 2x slower then SIV 



x[0] 

x[l] 

x[2] 


It^^J — © 


X 

E 

J- zceca 

E 

E 

E 

-£ 

— © 

<C<I 

E 

E 

y[0] 

^ 

y[i] 

y[2] 
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PRP-based Det. Authenticated Enc. 


Goal: det. CPA security and ciphertext integrity 

^ DAE: deterministic authenticated encryption 


Encryption : 


message 


80 


00000 


J 



Decryption : 
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PRP-based Det. Authenticated Enc. 

Let (E, D) be a secure PRP. E: K x (Xx{0,l}") ^ Xx{0,l}" 

Thm: 1/2" is negligible ^ PRP-based enc. provides DAE 


Proof sketch: suffices to prove ciphertext integrity 



But then Pr[ LSB„( n’^c) ) = 0" ] < 1/2" 
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Odds and ends 


Tweakable encryption 






Disk encryption: no expansion 

Sectors on disk are fixed size (e.g. 4KB) 

^ encryption cannot expand plaintext (i.e. M = C) 
^ must use deterministic encryption, no integrity 

Lemma: if (E, D) is a det. CPA secure cipher with M=C 
then (E, D) is a PRP. 

^ every sector will need to be encrypted with a PRP 
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sector 1 


sector 2 


sector 3 


PRP(k, •) 

■ 

PRP(k, •) 

■ 

PRP(k, •) 



Problem: sector 1 and sectors may have same content 
• Leaks same information as ECB mode 

Can we do better? 
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sector 1 


sector 2 


sector 3 


PRP(ki, •) 

■ 

PRPikj, •) 

■ 

PRPikj, •) 


I 


i 


I i|j|iiLrKl?jSU lLi 11! I ! I Ij^i , I ■ I ■ I ■ I i! i I i 

i|i7i|i|i|im 


iTi! 111! I iTTrrrnTTTi 




n ■ I ‘ I ■ I ‘ I ■ I ‘ II 


lTlTT7lTTTr hTl I I ! I I U 


1 ■ I ■ I ■ I ■ HT 

|T|T|y^ 


Avoids previous leakage problem 

• ... but attacker can tell if a sector is changed and then reverted 


Managing keys: the trivial construction = PRF(k, t) , t=l,...,L 

Can we do better? 
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Tweakable block ciphers 

Goal: construct many PRPs from a key ksK . 

Syntax: E,D: KxTxX —>X 
for every t^T and k< —K: 

E(k, t, ) is an invertible func. on X, indist. from random 

Application: use sector number as the tweak 

^ every sector gets its own independent PRP 
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Secure tweakable block ciphers 

E,D: KxTxX—>X. For b=0,l define experiment EXP(b) as: 



• Def: E is a secure tweakable PRP if for all efficient A: 

AdVtpRp[A,E] = I Pr[EXP(0)=l]-Pr[EXP(l)=l] | is negligible. 
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Example 1: the trivial construction 

Let (E,D) be a secure PRP, E: KxX—>X. 

• The trivial tweakable construction: (suppose K = X) 

Etweak(k, t, X) = E( E(k, t), x) 

^ to encrypt n blocks need 2n evals of E(.,.) 
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2. the XTS tweakable block cipher 

Let (E,D) be a secure PRP, E: Kx{0,l}"—> {0,1}" • 

* XTS: (t/O/ x) = 

N ^E(k2, t) 



[R'04] 
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Is it necessary to encrypt the tweak before using it? 

That is, is the following a secure tweakable PRP? 

O Yes, it is secure 

O No: E(k, (t,l), P(t,2)) © E(k, (t,2), P(t,l)) = P(t,l) 

O No: E(k, (t,l), P(t,l)) © E(k, (t,2), P(t,2)) = P(t,l) © P(t,2) 
O No: E(k,(t,l),P(t,l))©E(k,(t,2),P(t,2)) =0 



c 









Disk encryption using XTS 


sector # t: 



• note: block-level PRP, not sector-level PRP. 

• Popular in disk encryption products: 

Mac OS X-Lion, TrueCrypt, BestCrypt,... 
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Summary 


Use tweakable encryption when you need many 
independent PRPs from one key 

XTS is more efficient than the trivial construction 

— Both are narrow block: 16 bytes for AES 

EME (previous segment) is a tweakable mode for wide block 

— 2x slower than XTS 



End of Segment 



Online Cryptography Course 



09 


Dan Boneh 


Odds and ends 


Format preserving 
encryption 






Encrypting credit card numbers 


Credit card format: bbbb bbnn nnnn nnnc ( = 42 bits) 


POS 

1 

terminal 






processor #1 processor #2 processor #3 



acquiring 

bank 


Goal: end-to-end encryption 


Intermediate processors expect to see a credit card number 
^ encrypted credit card should look like a credit card 
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Format preserving encryption (FPE) 

This segment: given0<s<2", build a PRP on {0,...,s-l} 
from a secure PRF F: Kx{o,l}"—^{0,1}" (e.g. aes) 


Then to encrypt a credit card number: (s = total # credit cards) 

1. map given CC# to {0,...,s-l} 

2. apply PRP to get an output in {0,...,s-l} 

3. map output back a to CC# 
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step 1: from {0,1}" to {0,1}^ (t<n) 

Want PRP on {0,...,s-l} . Let t be such that 2*'^ < s < 2*. 
Method: Luby-Rackoff with F': K x {0,1}*^^ —^ {0,1}*^^ (truncate F) 


t/2 bits 


t/2 bits 



input 


output 


(better to use 7 rounds a la Patarin, Crypto'03) 
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step 2: from {0,1}^ to {0,..vS-l} 

Given PRP (E,D): K x {0,1}^ ^ {0,1}^ 
we build (E',D'): K x {0,...,s-l} —> 

E'(k, x): on input x s {0,...,s-l} do: 


y<—x; do{y<—E(k, y)} until ye {0,...,s-l}; output y 






Expected # iterations: 2 


{0,1}' 
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Security 

step 2 is tight: VA 3 B: PRP 3 JA,E] = PRP 3 dJB,E'] 

Intuition: Vsets Y £ x, applying the transformation to a 
random perm. ii:X— 

gives a random perm. 7l': Y —»Y 

Step 1: same security as Luby-Rackoff construction 

(actually using analysis of Patarin, Crypto'03) 


note: no integrity 
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Further reading 

Cryptographic Extraction and Key Derivation: The HKDF Scheme. 

H. Krawczyk, Crypto 2010 

Deterministic Authenticated-Encryption: 

A Provable-Security Treatment of the Keywrap Problem. 

P. Rogaway, T. Shrimption, Eurocrypt 2006 

A Parallelizable Enciphering Mode. S. Halevi, P. Rogaway, CT-RSA 2004 

Efficient Instantiations of Tweakable Blockciphers and Refinements to 
Modes OCB and PMAC. P. Rogaway, Asiacrypt 2004 

How to Encipher Messages on a Small Domain: 

Deterministic Encryption and the Thorp Shuffle. 

B. Morris, P. Rogaway, T. Stegers, Crypto 2009 
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Basic key exchange 


Trusted 3 ^^ parties 






Key management 

Problem: n users. Storing mutual secret keys is difficult 



Total: 0(n) keys per user 


Dan Boneh 





A better solution 


Online Trusted 3'’'^ Party (TTP) 



^v-ety oJy irek,fit,},otff Key: 






Generating keys: a toy protocol 

Alice wants a shared key with Bob. Eavesdropping security only. 


Bob (kg) 


ticket 



Alice (k;^) 


TTP 


''Alice wants key with Bob" 
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Generating keys: a toy protocol 

Alice wants a shared key with Bob. Eavesdropping security only. 

Eavesdropper sees: E(k^, "A, B" II k^g ) > ^ ' II I^ab ) 

(E,D) is CPA-secure ^ 

eavesdropper learns nothing about k^g 

Note: TTP needed for every key exchange, knows all session keys, 
(basis of Kerberos system) 


Dan Boneh 


Toy protocol: insecure against active attacks 


Example: insecure against replay attacks 

Attacker records session between Alice and merchant Bob 

- For example a book order 

Attacker replays session to Bob 

- Bob thinks Alice is ordering another copy of book 


Dan Boneh 



Key question 

Can we generate shared keys without an online trusted 3'’'' party? 
Answer: yes! 

Starting point of public-key cryptography: 

• Merkle (1974), Diffie-Hellman (1976), RSA(1977) 

• More recently: ID-based enc. (bf 2001), Functional enc. (bsw 2011) 


Dan Boneh 
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Basic key exchange 


Merkle Puzzles 






Key exchange without an online TTP? 

Goal: Alice and Bob want shared key, unknown to eavesdropper 
• For now: security against eavesdropping only (no tampering) 






Alice 



Bob 






t 

^ eavesdropper ?? 


Can this be done using generic symmetric crypto? 
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Merkle Puzzles (1974) 


Answer: yes, but very inefficient 
Main tool : puzzles 

• Problems that can be solved with some effort 

• Example: E(k,m) a symmetric cipher with k ^ 

- puzzle(P) = E(P, "message") where P = O^^ll b^... b 
-Goal: find P by trying all 2^^ possibilities 



Merkle puzzles 

Alice : prepare 2^^ puzzles 

• For i=l,2^^ choose random Pj e{0,l}^^ and Xj, kj e{o,l}^^® 

set puzzlei <— E{0^®llPj, "Puzzlettx" II kj ) 

• Send puzzle^,, puzzlejsz to Bob 

Bob : choose a random puzzle, and solve it. Obtain (x., k.). 

• Send Xj to Alice 


Alice : lookup puzzle with number x.. Use k. as shared secret 
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In a figure 




puzzle^,..., puzzle^ 



Alice 


_ 


Bob 



Alice's work: 0(n) 
Bob's work: 0(n) 


(prepare n puzzles) 
(solve one puzzle) 


Eavesdropper's work: O(n^) (e.g. 2®^ time) 
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Impossibility Result 

Can we achieve a better gap using a general symmetric cipher? 
Answer: unknown 


But: roughly speaking, 

quadratic gap is best possible if we treat cipher as 
a black box oracle [IR' 89 , bm' 09 ] 
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Basic key exchange 


The Diffie-Hellman 
protocol 






Key exchange without an online TTP? 

Goal: Alice and Bob want shared secret, unknown to eavesdropper 
• For now: security against eavesdropping only (no tampering) 






Alice 



Bob 







eavesdropper ?? 


Can this be done with an exponential gap? 
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The Diffie-Hellman protocol (informally) 

Fix a large prime p (e.g. 600 digits) 

Fix an integer g in {1,p} 

Alice Bob 

choose random a in {l,...,p-l} choose random b in p-1} 

= (g^) = (modp) 


(mod p) - (g^) - k^g - (mod p) 


Dan Boneh 




Security (much more on this later) 

Eavesdropper sees: p, g, A=g^ (mod p), and B=g'^ (mod p) 
Can she compute g®’’ (mod p) ?? 

More generally: define DH {g^ g'^) = g^*^ (mod p) 

How hard is the DH function mod p? 
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How hard is the DH function mod p? 

Suppose prime p is n bits long. 

Best known algorithm (GNFS): run time exp( d{-^) ) 


cipher key size 
80 bits 
128 bits 
256 bits (AES) 


modulus size 
1024 bits 
3072 bits 
15360 bits 


Elliptic Curve 
size 

160 bits 
256 bits 
512 bits 


As a result: slow transition away from (mod p) to elliptic curves 


Dan Boneh 




www.google.com 

The identity of this website has been verified by Thawte SGC 
CA. 

Certificate Information 



Ybur connection to www.google.com is encrypted with 128-bit 
encryption. 

The connection uses TLS 1.0. 


The connection is encrypte i using RC4_128, wth SHAl for 
message authentication ar d ECDHE_RSA as tie key 
exchange mechanism. 


Elliptic curve 
Diffie-Hellman 
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Insecure against man-in-the-middle 


As described, the protocol is insecure against active attacks 


Alice 












MiTM 

- 

a'i, 




Bob 


B- 




heldy^ {vofTTv _ 

fr»K» RliVp {,• Bob at>^/ ren/i ({ <*< 4iw~ci^^ 


% 


}‘b 
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Another look at DH 


Facebook 


g 


a 





Alice 

a 


Bob Charlie 


b 


c 


David 

• • • 

d 




ac 
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An open problem 


OH 

C'3oi/'>r^ 

Facebook 


g*^ g 

;d 



Alice 

Bob 

Charlie 

a 

b 

c 

^ABCD 

^ABCD 

^ABCD 


David 

d 

^ABCD 
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Basic key exchange 


Public-key encryption 






Establishing a shared secret 

Goal: Alice and Bob want shared secret, unknown to eavesdropper 
• For now: security against eavesdropping only (no tampering) 






Alice 



Bob 







eavesdropper ?? 


This segment: a different approach 
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Public key encryption 


Alice 


Bob 





5^*^^ c 

» -? 



1^ 


f^iy- 


f 




SK 




fic - put/iV Kfx / - 
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Public key encryption 

Def : a public-key encryption system is a triple of aigs. (G, E, D) 

• G(): randomized alg. outputs a key pair (pk, sk) 

• E(pk, m): randomized alg. that takes m^M and outputs c 

• D(sk,c): det. alg. that takes c^C and outputs m^M or-L 

Consistency: V(pk, sk) output by G : 

Vm^M: D(sk, E(pk, m)) = m 

Dan Boneh 



Semantic Security 

For b=0,l define experiments EXP(O) and EXP(l) as: 



Def: E =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A: 
Advss [A,E] = I Pr[EXP{0)=l] - Pr[EXP(l)=l] | < negligible 


Dan Boneh 















Establishing a shared secret 


Alice Bob 

(pk, sk)«—G() 

"Alice", pk 

choose random 
X e {0,lp8 

"Bah ^ c.*^y) 

-* X 


X- £ec.y-eii: 
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Security (eavesdropping) 

Adversary sees pk, E(pk, x) and wants xSM 

Semantic security ^ 

adversary cannot distinguish 

{ pk, E(pk, x), x} from { pk, E(pk, x), rand^M} 
^ can derive session key from x. 


Note: protocol is vulnerable to man-in-the-middle 
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Insecure against man in the middle 

As described, the protocol is insecure against active attacks 

Alice MiTM Bob 

(pk, sk) ^ G{) (pk', sk')G() 

"Alice", pk I “fili'ce'l 

choose random 

X e {0,lp8 

y "Bob", E(pk,x) I "Bob", E(pk', x) 


X 
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Public key encryption: constructions 


Constructions generally rely on hard problems from 
number theory and algebra 

Next module: 

• Brief detour to catch up on the relevant background 
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Further readings 

Merkle Puzzles are Optimal, 

B. Barak, M. Mahmoody-Ghidary, Crypto '09 


On formal models of key exchange (sections 7-9) 
V. Shoup, 1999 
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Intro. Number Theory 


Notation 






Background 

We will use a bit of number theory to construct: 

• Key exchange protocols 

• Digital signatures 

• Public-key encryption 

This module: crash course on relevant concepts 

More info: read parts of Shoup's book referenced 

at end of module 
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Notation 


From here on: 

• N denotes a positive integer. 

• p denote a prime. 

Notation: 

Can do addition and multiplication modulo N 


Dan Boneh 


Modular arithmetic 


Examples: let N = 12 


9 + 8 = 5 

in 

Zi2 

5x7 = 11 

in 

Zi2 

5-7 = 10 

in 

Zi2 


Arithmetic in Zjv works as you expect, e.g x (y+z) = x y + x z \E,n 
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Greatest common divisor 

Def : Forints. x,y: gcd(x, y) is the greatest common divisor of 
Example: gcd( 12,18 ) = 6 | 2 )^6 

Fact : for all ints. x,y there exist ints. a,b such that 

ax + by = gcd(x,y) 

a,b can be found efficiently using the extended Euclid alg. 
If gcd(x,y)=l we say that x and y are relatively prime 






Modular inversion 


Over the nationals, inverse of 2 is 34 . What about Zff ? 


Def : The inverse of X in Zat is an element y in Zjv s.t. X-y-/ , 


y is denoted x'^. 


_ _ _ ^ 

Example: let N be an odd integer. The inverse of 2 inZjv is 2 . 


2 .' (^ ’■*' 


•/V 
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Modular inversion 

Which elements have an inverse in 

Lemma : x in has an inverse if and only if gcd(x,N) = 1 
Proof: 

gcd(x,N)=l ^ 3 a,b: a x + b N = 3?=^ cn 

■= 5 > X ^ f-*' 

gcd(x,N) > 1 ^ Va: gcd( a X, N ) > 1 ^ a x^^linZAr 

V/?* O'X ,'s, eir<* =i> IW^iT 
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More notation 


Def: = (set of invertible elements in Zjv ) = 

= { : gcd(x,N) = 1 } 


Examples: 


1. for prime p, Z* = Zp \ {0} = {1,2,... ,p - 1} 


2 . 


Zi2 = {1, 5, 7,11} 


For X in can find x"^ using extended Euclid algorithm. 
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Solving modular linear equations 

Solve: a x + b = 0 in 

Solution: x = -b a‘^ in 

Find a'^ in Z^ using extended Euclid. Run time: 0(log^ N) 

What about modular quadratic equations? 
next segments 

Dan Boneh 
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Intro. Number Theory 


Fermat and Euler 






Review 


N denotes an n-bit positive integer, p denotes a prime. 

• Z^, = {0,1,..., N-1} 

• (Z,^)* = (set of invertible elements in Z^) = 

= { : gcd(x,N) = l} 

Can find inverses efficiently using Euclid alg.: time = O(n^) 
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Fermat's theorem (i 64 o) 


Thm : Let p be a prime 

V X e (Zp)*: = 1 in Zp 


Example: p=5. 3^ = 81 = 1 in Z 5 

So: xs (Zp)* => x xP‘2 = 1 => x’^ = xP'^ in Zp 

another way to compute inverses, but less efficient than Euclid 
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Application: generating random primes 

Suppose we want to generate a large random prime 

say, prime p of length 1024 bits {i.e. p = 2^°^^) 


Step 1: choose a random integer p e [ 2^°^^ , ] 

Step 2: test if 2^'^ = 1 in Zp 

If so, output p and stop. If not, goto step 1. 


Simple algorithm (not the best). Pr[ p not prime ] < 2‘®° 
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The structure of (Zp)* 


Thm (Euler): (Zp)* is a cyclic group, that is 

3 g e (Zp)* such that {l, g, g^, gP-2} = (Zp)* 

g is called a generator of (Z )* 

Example: p=7. {1, 3, 3^, 3^, 3^ 3^} = {1, 3, 2, 6, 4, 5} = (Zy)* 

Not every elem. is a generator: {1, 2, 2^, 2^ 2^ 2^} = {1, 2, 4} 


Dan Boneh 



Order 


For g^(Zp)* the set {1, g, ...} is called 

the group generated by g, denoted <g> 

Def : the order of ge(Z )* is the size of <g> 

oi’dp(g) = I <g> I = (smallest a>0 s.t. g^ = 1 in Zp) 

Examples: ord7(3) = 6 ; ord y(2) = 3 ; ord 7 (l) = 1 


Thm (Lagrange): Vge(Zp)* : ordp(g) divides p-1 
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Euler's generalization of Fermat ( 1736 ) 

Def : For an integer N define cp (N) = | (Z^,)* | (Euler's cp func.) 

Examples: cp (12) = | {1,5,7,11} | =4 ; cp (p) = p-1 

For N=p q: cp (N) = N-p-q+1 = (p-l)(q-l) 

Thm (Euler): V x e (z,y,)*: = 1 inZ^ 

Example: = S'* = 625 = 1 in 


Generalization of Fermat. Basis of the RSA cryptosystem 


Dan Boneh 




End of Segment 



Online Cryptography Course 



09 


Dan Boneh 


Intro. Number Theory 


Modular e'th roots 






Modular e'th roots 

We know how to solve modular linear equations: 

a x + b = 0 in Z|^ Solution: x = -b a‘^ in Z^j 

What about higher degree polynomials? 

Example: let p be a prime and c^Z . Can we solve: 

x2-c = 0 , y^-c = 0 , z^^-c = 0 in Zp 
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Modular e'th roots 


Let p be a prime and c^Z . 


Def : xez s.t. x® = c in Z is called an e'th root ofc. 


Examples: 


71/3 _ 

6 

in 

Zii 

31/2 = 

5 

in 

Zii 

11/3 = 

1 

in 

Zii 


0.16 = 1 - iv 
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The easy case 

When does In Z„ exist? Can we compute it efficiently? 


The easy case : 

Then for all 

Proof: let d 

d e = 1 in Z 


suppose gcd( e, p-1) = 1 

in (Z )*: exists in Z and is easy to find. 




Then 



A 2, 


^l<: e'Z. '■ ■=^ n 

s ^ ' C ■= c »>- 


2 /> 
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The case e=2: square roots 

If p is an odd prime then gcd{ 2, p-1) ^ 1 x -x 

\/ 

Fact: in Z*, x—> x^ is a 2-to-l function ^ 

Jr 

Example : in : i iq 2 9 3 8 4 7 5 6 

\i^ \ J \ J \ * \ / 

1 4 9 5 3 

I _ J 


Def : X in Zp is a quadratic residue (Q.R.) if it has a square root in Zp 
p odd prime ^ the # of Q.R. in Zp is (p-l)/2 + 1 
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Euler's theorem 

Thm: x in (Zp)* is a Q.R. = 1 in Zp (p odd prime) 


Example: 

in Zii : 1^, 25, 35 , 45 , 55 , 65, 75, 85, 95, 105 


= 1-1 1 11, -1, -1, -1, 1, -1 

Note: xtO 

=> x(P-i)/2 = = 11/2 e { 1 , - 1 } in Zp 


Def : is called the Legendre Symbol of x over p ( 1798 ) 
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Computing square roots mod p 


Suppose 

Lemma : 

Proof: 
When p 


p = 3 (mod 4) 

if c^(Zp)* is Q.R. then a/c = in Zp 



= 1 (mod 4), can also be done efficiently, but a bit harder 


run time = 0(log^ p) 
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Solving quadratic equations mod p 

Solve: a x^ + b x + c = 0 in 

Solution: x= (-b ± Vb^-4 a c' ) / 2a in Zp 

• Find (2a)'^ in Z using extended Euclid. 

• Find square root of b^-4 a c inZ (if one exists) 

using a square root algorithm 

Dan Boneh 



Computing e'th roots mod N ?? 

Let N be a composite number and e>l 

When does in exist? Can we compute it efficiently? 

Answering these questions requires the factorization of N 

(as far as we know) 


Dan Boneh 
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Intro. Number Theory 


Arithmetic algorithms 






Representing bignums 

Representing an n-bit integer (e.g. n=2048) on a 64-bit machine 


32 bits ■ 32 bits ■ 32 bits 32 bits 


\ _ _^ _ _I 

n/32 blocks 

Note: some processors have 128-bit registers (or more) 
and support multiplication on them 
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Arithmetic 


Given: two n-bit integers 

* Addition and subtraction: linear time 0(n) 

* Multiplication: naively O(n^). Karatsuba (i 960 ): 

Basic idea: (2'’X2+x^) x (2'’y2+Vj) with 3 mults. 

Best (asymptotic) algorithm: about 0(n • log n). 

* Division with remainder: O(n^). 



Dan Boneh 


Exponentiation 

Finite cyclic group G (for example G=Z* ) 

Jr 

Goal: given g in G and x compute g** 
Example : suppose x = 53 = (110101)2 ” 32+16+4+1 
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The repeated squaring alg. 


Input: g in G and x>0 ; Output: 

write X = (x„ x^.^ ... X2 x^ Xo)2 

y^g , z<—l 

for i = 0 to n do: 

if (x[i] == 1): z <— z y 

y^y2 

output z 


example: 

„53 
: 8 

y 

Z 


g 

g" 

g 

g* 

g^ 

gl6 

g^ 

g"" 

g^^ 

g64 

g” 
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Running times 


Given n-bitint. N: 

* Addition and subtraction in Z^: linear time = 0(n) 

* Modular multiplication in Z,^: naively = O(n^) 

* Modular exponentiation in Z,^ (): 

o((logx) T^) < o((logx) n^) < 0( n^) 


Dan Boneh 
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Intro. Number Theory 


Intractable problems 






Easy problems 

Given composite N and x in Z^j find x'^ in Z^, 

Given prime p and polynomial f(x) in Z [x] 

find X in Z s.t. f(x) = 0 in Z (if one exists) 

Running time is linear in deg(f). 


but many problems are difficult 



Intractable problems with primes 


Fix a prime p>2 and g in (Z )* of order q. 

Consider the function: x g’* In 
Now, consider the inverse function: 

Diogg (g**) = X where x in {0,q-2} 


Example: 


in Zii : 

1, 

2, 

3, 

4, 

5, 

6, 

7, 

8, 

9, 10 

Dlog2( •) : 

0, 

1, 

8, 

2, 

4, 

9, 

7, 

3, 

6, 5 
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DLOG: more generally 

Let G be a finite cyclic group and g a generator of G 

G = { 1, g , g^ , g^ , , g*^'^ } ( q is called the order of G ) 

Def : We say that DLOG is hard in G if for all efficient alg. A: 

Prg^Q x^z [ A(G, q, g, g’') = x] < negligible 

Example candidates: 

(1) (Z )* for large p, (2) Elliptic curve groups mod p 
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Computing DIog in (Z )* 

Best known algorithm (GNFS): runtime 


cipher key size 

80 bits 
128 bits 
256 bits (AES) 


modulus size 

1024 bits 
3072 bits 
15360 bits 


(n-bit prime p) 

exp( d(^) ) 

Elliptic Curve 
group size 

160 bits 

256 bits 

512 bits 


As a result: slow transib'on away from (mod p) to elliptic curves 
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An application: collision resistance 

Choose a group G where Diog is hard (e.g. (ZJ* for large p) 


Let q= |G| be a prime. Choose generators g, h ofG 


For x,y e define 



in G 


Lemma: finding collision for H(.,.) is as hard as computing DIog (h) 
Proof: Suppose we are given a collision H(Xo,yo) = H(Xi,yi) 

then g"” hVo hV* =» gXo-*! = hVt-Vo h = g 
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Intractable problems with composites 

Consider the set of integers: (e.g. for n=1024) 

Z(2)(n 

Problem 1 : Factor a random N in Z(2)(^) (e.g. for n=1024) 


:= {n = p q where p,q are n-bit primes } 


Problem 2 : Given a polynomial f(x) where degree{f) > 1 

and a random N in Z(2)(^) 

find X in s.t. f(x) = 0 in Zat 

Dan Boneh 



The factoring problem 

Gauss (1805): "The problem of distinguishing prime numbers from 

composite numbers and of resolving the latter into 
their prime factors is known to be one of the most 
important and useful in arithmetic." 

Best known alg. (NFS): runtime exp( O(^) ) for n-bit integer 

Current world record: RSA-768 (232 digits) 

• Work: two years on hundreds of machines 

• Factoring a 1024-bit integer: about 1000 times harder 

^ likely possible this decade 
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Further reading 

• A Computational Introduction to Number Theory and Algebra, 
V. Shoup, 2008 (V2), Chapter 1-4,11,12 

Available at //shoup.net/ntb/ntb-v2.pdf 
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Public Key Encryption 
from trapdoor permutatio ns 

Public key encryption: 
definitions and security 






Public key encryption 


Bob: generates (PK, SK) and gives PK to Alice 


m 


> 


Alice 


E 




Bob 


D 


t 

pk 


t 

sk 








Applications 


Session setup (for now, only eavesdropping security) 


Alice 


Generate (pk, sk) 
X 





Elpk, x) 


Bob 


r 

choose random 
(e.g. 48 bytes) 


Non-interactive applications: (e.g. Email) 

• Bob sends email to Alice encrypted using plCgn^^g 

• Note: Bob needs pl< 3 ||j,g (public key management) 




Public key encryption 

Def : a public-key encryption system is a triple of aigs. (G, E, D) 

• G(): randomized alg. outputs a key pair (pk, sk) 

• E(pk, m): randomized alg. that takes m^M and outputs c 

• D(sk,c): det. alg. that takes c^C and outputs m^M or-L 

Consistency: V(pk, sk) output by G : 

Vm^M: D(sk, E(pk, m)) = m 
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Security: eavesdropping 

For b=0,l define experiments EXP(O) and EXP(l) as: 



Def: E =(G,E,D) is sem. secure (a.k.a IND-CPA) if for all efficient A: 
Advss [A,E] = I Pr[EXP{0)=l] - Pr[EXP(l)=l] | < negligible 
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Relation to symmetric cipher security 

Recall: for symmetric ciphers we had two security notions: 

• One-time security and many-time security (CPA) 

• We showed that one-time security many-time security 

For public key encryption: 

• One-time security ^ many-time security (CPA) 

(follows from the fact that attacker can encrypt by himself) 

• Public key encryption must be randomized 
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Security against active attacks 

What if attacker can tamper with ciphertext? 



i j i T i j ' T i j i T 'T'T^^^T rrrlT 

|T];,to,:; ca roi;i ne @gma i {rgbody^ 


attacker: 


gtql attackefi@gnri’ailg; gbo dyg 


f - 

mail server Caroline 


(e.g. Gmail) 



attacker 


Attacker is given decryption of msgs 
that start with "to: attacker" 
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(pub-key) Chosen Ciphertext Security: definition 

E = (G,E,D) public-key enc. over (M,C). For b=0,l define EXP(b): 



Chal. 

(pk,sk)^G() 


pk 

Adv. A 

CCA phase 1: Cj E C 


m, ^ D(k, C|) 

challenge: nno,miEM: |mo| = |nnj 


C ^ E(pk, ttlb) 

CCA phase 2: c, G C : q # c 



m, ^ D(k, C|) 


b' G {0,1} 

-► 
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Chosen ciphertext security: definition 

Def : E is CCA secure (a.k.a IND-CCA) if for all efficient A: 
AdV(-cA [A,E] = I Pr[EXP(0)=l] - Pr[EXP(l)=l] | is negligible. 


Example: Suppose 


■ I , I ■ I , I ■ I pij T T.rpj T.T.T T T T T 

5g,(to;;aly:e^^bp;dv)S 


T T T T T T| I I , I , I I Xa I ■ I , I I rr|T.T 

gjjdfyavi^gbpdytlp 


Chal. 

(pk,sk)^G() 


pk 


chal.: (to:alice, 0) , (toralice, 1) 


E(pk, nib) 


CCA phase 2: c' = 



aEmEwaan 


m' D(sk, c') 


Adv. A 
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Active attacks: symmetric vs. pub-key 

Recall: secure symmetric cipher provides authenticated encryption 

[ chosen plaintext security & ciphertext integrity ] 

• Roughly speaking: attacker cannot create new ciphertexts 

• Implies security against chosen ciphertext attacks 

In public-key settings: 

• Attacker can create new ciphertexts using pk !! 

• So instead: we directly require chosen ciphertext security 


Dan Boneh 


This and next module: 


constructing CCA secure pub-key systems 
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Public Key Encryption 
from trapdoor permutatio ns 

Constructions 


Goal: construct chosen-ciphertext secure public-key encryption 






Trapdoor functions (TDF) 

Def : a trapdoor func. X—is a triple of efficient aigs. (G, F, F'^) 

• G(): randomized alg. outputs a key pair (pk, sk) 

• F(pk, ): det. alg. that defines a function X—>Y 

• F‘^(sk, •): defines a function Y—»X that inverts F(pk, ) 

More precisely: V (pk, sk) output by G 

VxSX: F'^{sk, F(pk, x)) = X 

Dan Boneh 



Secure Trapdoor Functions (TDFs) 

(G, F, F‘^) is secure if F(pk, •) is a "one-way" function: 

can be evaluated, but cannot be inverted without sk 


Chal. 


Adv. A 


(pk,sk)^G() 




xAx 

pk, y ^ F(pk, x) 


x' 






Def : (G, F, F'^) is a secure TDF if for all efficient A: 

AdVow[A,F] = Pr[x = x'] < negligible 
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Public-key encryption from TDFs 

• (G, F, F-i): secureTDF X^Y 

• (Ej, Dj): symmetric auth. encryption defined over (K,M,C) 

• H:X—>K a hash function 

We construct a pub-key enc. system (G, E, D): 

Key generation G: same as G for TDF 
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Public-key encryption from TDFs 

• (G, F, F-i): secureTDF X^Y 

• (Ej, Dj): symmetric auth. encryption defined over (K,M,C) 

• H:X—>K a hash function 


Pk, m) : 

X ^ X, y ^ F(pk, x) 
k <— H{x), c <— E5(k, m) 
output (y, c) 


D( sk, (v,c)) : 

X ^ F'^sk, y), 
k <— H{x), m <— D5(k, c) 
output m 
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In pictures: 


F(pk, x) 


Es{ H(x), m ) 



header 


body 


j 


Security Theorem : 

If (G, F, F-i) is a secure TDF, (Ej, Dj) provides auth. enc. 
and H: X —> K is a "random oracle" 
then (G,E,D) is CCA''° secure. 
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Incorrect use of a Trapdoor Function (TDF) 


Never encrypt by applying F directly to plaintext: 


E( Pk, m): 


D( sk, c): 

output c«— F(pk, m) 


output F‘^(sk, c) 


Problems: 

• Deterministic: cannot be semantically secure II 

• Many attacks exist (next segment) 
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Next step: construct a TDF 


End of Segment 
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Public Key Encryption 
from trapdoor permutatio ns 

The RSA trapdoor 
permutation 






Review: trapdoor permutations 

Three algorithms: (G, F, F"^) 

• G: outputs pk, sk. pk defines a function F(pk, 

• F(pk, x): evaluates the function at x 

• F'^(sk, y): inverts the function at y using sk 

Secure trapdoor permutation: 

The function F(pk, •) is one-way without the trapdoor sk 
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Review: arithmetic mod composites 

Let N = p-q where p,q are prime 

Zfj = {0,1/2,...,N-1} ; (Z,^)* = {invertible elements in Z^} 


Facts : x^Z,^ is invertible gcd(x,N) = 1 

- Number of elements in (Z^j)* is (p(N) = (p-l)(q-l) = N-p-q+1 


Euler's thm: 


V xG (ZJ* 
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The RSA trapdoor permutation 

First published: Scientific American, Aug. 1977. 

Very widely used: 

— SSL/TLS: certificates and key-exchange 
— Secure e-mail and file systems 
... many others 
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The RSA trapdoor permutation 

G(): choose random primes p,q »1024 bits. Set N=pq. 
choose integers e,d s.t. e d = l (modq)(N)) 
output pk = (N, e) , sk = (N, d) 


F( pk, X ): ^ ; RSA(x) = x® (in Z,^) 


F’H sk, y) = y"*; y'' = RSA(x)'' = x = 
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The RSA assumption 

RSA assumption: RSA is one-way permutation 

For all efficient aigs. A: 

Pr[ A(N,e,y) = ]< negligible 

where p,q n-bit primes, N-e-pq, y'^Z,^* 
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Review: RSA pub-key encryption osostd) 


(Ej, Dj): symmetric enc. scheme providing auth. encryption. 
H: Zfj-> K where K is key space of (E 5 ,D 5 ) 

• G(): generate RSA params: pk = (N,e), sk = (N,d) 

• E(pk, m): (1) choose random x in Z^, 

(2) y ^ RSA(x) = x% k ^ H(x) 

(3) output (y, E 3 (k,m)) 




D(sk, (y, c)): output D 5 ( H(RSA‘^{y)), c) 


Dan Boneh 



Textbook RSA is insecure 

Textbook RSA encryption: 

- public key: (N,e) 

- secret key: (N,d) 

Insecure cryptosystem I! 

- Is not semantically secure and many attacks exist 

^ The RSA trapdoor permutation is not an encryption scheme ! 


Encrypt: c <— m® (in Z,^) 
Decrypt: c“ —» m 
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A simple attack on textbook RSA 


random 
session-key k 




CLIENT HELLO 


n 

1_ 

Web 

SERVER HELLO (e,N) 

Web 


m 

Browser 

c=RSA(k) 

Server 



Suppose k is 64 bits: k G {0,...,2®^}. Eve sees: c= k® in 


If 


k = ki'k2 where k^, kj < 2 ^^ (prob. -20%) 


then 


c/ki® = k2® in Z,^ 


Step 1: build table: c/1®, c/2®, c/3®,..., c/2^‘’® . time: 2^^ 
Step 2: for k 2 = 0,..., 2^^ test if k 2 ® is in table, time: 2^^ 


Output matching (k^, k 2 ). 


Total attack time: 


«240 « 264 
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Public Key Encryption 
from trapdoor permutations 


PKCS 1 






RSA encryption in practice 

Never use textbook RSA. 

RSA in practice (since ISO standard is not often used): 



Main questions: 

- How should the preprocessing be done? 

- Can we argue about security of resulting system? 
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PKCSl vl.5 

(encryption) 


PKCSl mode 2: 


16 bits 


02 

random pad 

FF 

msg 


RSA modulus size (e.g. 2048 bits) 


Resulting value is RSA encrypted 


Widely deployed, e.g. in HTTPS 






Attack on PKCSl vl.5 


(Bleichenbacher 1998) 


PKCSl used in HTTPS: 


c= 


ciphertext 



B - 

.c 


Web 
, Server 

yes: continue 


Attacker 

no: error 




=> attacker can test if 16 MSBs of plaintext = '02' 


Chosen-ciphertext attack: to decrypt a given ciphertext C do: 

-Choose r£Z|^. Compute c'«—r®-c = (r ■ PKCSi(m))^ 
- Send c' to web server and use response 
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Baby Bleichenbacher 


compute x«—o'* in Z,^ 


c= 


ciphertext 


El - 

, c 


Web 

oServer 

yes: continue 

Attacker 

no: error 




Suppose N is N = 2" (an invalid RSA modulus). Then: 

• Sending c reveals msb( x) 

• Sending 2® c = (2x)® in reveals msb(2x mod N) = msbjCx) 

• Sending 4® c = (4x)® in Z^j reveals msb(4x mod N) = msbgCx) 

• ... and so on to reveal all of x 
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HTTPS Defense 


(RFC 5246) 


Attacks discovered by Bleichenbacher and Klima et al.... can be 
avoided by treating incorrectly formatted message blocks... in a 
manner indistinguishable from correctly formatted RSA blocks. 

In other words: 

1. Generate a string R of 46 random bytes 

2. Decrypt the message to recover the plaintext M 

3. If the PKCS#1 padding is not correct 

pre_master_secret = R 
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PKCS1V2.0: OAEP 

New preprocessing function: OAEP [br94] 


check pad 
on decryption, 
reject CT if invalid. 




E{0, 


Thm [Fops'oi] : RSA is a trap-door permutation ^ 

RSA-OAEP is CCA secure when H,G are random oracles 

in practice: use SHA-256 for H and G 




















OAEP Improvements 


OAEP +! [Shoup'Ol] 

V trap-door permutation F 
F-OAEP+ is CCA secure when 
H,G,W are random oracles. 

During decryption validate W(m,r) field. 



SAEP +: [B'oi] 

RSA (e=3) is a trap-door perm ^ 
RSA-SAEP+ is CCA secure when 
H,W are random oracle. 
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How would you decrypt 
an SAEP ciphertext ct ? 


o 

(x,r) ^ 

-RSA-Msk,ct) , 

(m,w) 

o 

(x,r) ^ 

-RSA-Msk,ct) , 

(m,w) 

o 

(x,r) ^ 

-RSA-Msk,ct) , 

(m,w) 



x0H(r) , output m if w = W(m,r) 
r0H(x) , output m if w = W(m,r) 
x0H(r) , output m if r = W(m,x) 


















Subtleties in implementing OAEP [m oo] 


OAEP-decrypt(ct): 
error = 0; 


if ( RSA'^ct) > 2"'^ ) 

{ error =1; goto exit;} 


if ( pad(OAEF\RSA'\ct))) != “01000”) 
{error = 1; goto exit;} 


Problem: timing information leaks type of error 

=> Attacker can decrypt any ciphertext 

Lesson: Don't implement RSA-OAEP yourself ! 
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Public Key Encryption 
from trapdoor permutatio ns 

Is RSA a one-way 
function? 






Is RSA a one-way permutation? 


To invert the RSA one-way func. (without d) attacker must compute: 

X from c = X® (mod N). 


How hard is computing e'th roots modulo N ?? 

Best known algorithm: 

- Step 1: factor N (hard) 

- Step 2: compute e'th roots modulo p and q (easy) 
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Shortcuts? 


Must one factor N in order to compute e'th roots? 

To prove no shortcut exists show a reduction: 

- Efficient algorithm for e'th roots mod N 

=> efficient algorithm for factoring N. 

- Oldest problem in public key cryptography. 

Some evidence no reduction exists: (bv'ss) 

- "Algebraic" reduction => factoring is easy. 
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How not to improve RSA's performance 

To speed up RSA decryption use small private key d ( d = 2^^* ) 

= m (mod N) 

V_ ) 

Wiener'87: if d < then RSA is insecure. 

BD'98: if d < then RSA is insecure (open: d < N°^ ) 

Insecure: priv. key d can be found from (N,e) 
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Wiener's attack 


Recall: e-d = 1 (mod cp(N)) => 3 kGZ : e-d = k-cp(N) + 1 

U < -L 

'ff'} d I d ' iN 


(p(N) = N-p-q+1 |N-(p(N)| ^ p+q ^ 3VN 


d < N°-2V3 









N f^A/y 
< 3/5 A. ^ X. ^ 


2^^ 


Continued fraction expansion of e/N gives k/d. 

e-d = 1 (mod k) => gcd(d,k)=l can find d from k/d 
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Public Key Encryption 
from trapdoor permutatio ns 

RSA in practice 






RSA With Low public exponent 


To speed up RSA encryption use a small e: c = m® (mod N) 

• Minimum value: e=3 (gcd(e, cp(N)) = 1) 

• Recommended value: e=65537=2^®+l 

Encryption: 17 multiplications 


Asymmetry of RSA: fast enc. / slow dec. 

- EIGamal (next module): approx, same time for both. 
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Key lengths 


Security of public key system should be comparable to security 
of symmetric cipher: 

RSA 

Cipher key-size Modulus size 


80 bits 
128 bits 
256 bits (AES) 


1024 bits 
3072 bits 
15360 bits 
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Implementation attacks 

Timing attack: [Kocher et al. 1997] , [bb'04] 

The time it takes to compute c (mod N) can expose d 

Power attack: [Kocher etal. 1999) 

The power consumption of a smartcard while 
it is computing c (mod N) can expose d. 


Faults attack: [BDL'97] 

A computer error during c (mod N) can expose d. 


A common defense: check output. 10% slowdown. 
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An Example Fault Attack on RSA (crt) 

A common implementation of RSA decryption: x = c'^ in Z,^ 
decrypt mod p: x. = c*^ in Z^, 

H I 

combine to get x = c° in 

decrypt mod q: x^ = c*^ in 

Suppose error occurs when computing x., but no error in Xp 
Then: output is x' where x' = c'' in Z- but x' ^ c'' in Z- 
=> (x')® = c in Zp but (x')®^cinZq => gcd( (x')® - c, n) = p 


RSA Key Generation Trouble [Heninger et al./Lenstra et al.] 

OpenSSL RSA key generation (abstract): 

prng.seed(seed) 

p = prng.generate_random_prime() 

prng.add_randomness(bits) 

q = prng.generate_random_prinne() 

N = p*q 

Suppose poor entropy at startup: 

• Same p will be generated by multiple devices, but different q 

• , N 2 : RSA keys from different devices ^ gcd(Ni,N 2 ) = p 
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RSA Key Generation Trouble [Heninger et al./Lenstra et al.] 


Experiment: factors 0.4% of public HTTPS keys !! 


Lesson: 

— Make sure random number generator is properly 
seeded when generating keys 
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Further reading 

Why chosen ciphertext security matters, V. Shoup, 1998 

Twenty years of attacks on the RSA cryptosystem, 

D. Boneh, Notices of the AMS, 1999 

OAEP reconsidered, V. Shoup, Crypto 2001 


Key lengths, A. Lenstra, 2004 
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Public key encryption 
fr om Diffie-Hellma n 

The EIGamal 
Public-key System 










Recap: public key encryption: (Gen, E, D) 
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Recap: public-key encryption applications 


Key exchange (e.g. in HTTPS) 

Encryption in non-interactive settings: 

• Secure Email: Bob has Alice's pub-key and sends her an email 

• Encrypted File Systems 




Bob 


E(kp, File) 


E(pkA, Kp) 
E(pkB, Kp) 


File 
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Recap: public-key encryption applications 


Key exchange (e.g. in HTTPS) 

Encryption in non-interactive settings: 

• Secure Email: Bob has Alice's pub-key and sends her an email 

• Encrypted File Systems 

• Key escrow: data recovery without Bob's key 


Escrow 
Service 

r lx 

^■^escrow 



E(kp, File) 
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Constructions 

This week: two families of public-key encryption schemes 

• Previous lecture: based on trapdoor functions (such as RSA) 

— Schemes: ISO standard, OAEP+, ... 

• This lecture: based on the Diffie-Hellman protocol 

— Schemes: EIGamal encryption and variants (e.g. used in gpg) 

Security goals: chosen ciphertext security 
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Review: the Diffie-Hellman protocol (1977) 

Fix a finite cyclic group G (e.g G = (Z )* ) of order n 
Fix a generator g in G (i.e. G = {1, g, g^, g^,, g"-i} ) 

Alice Bob 

choose random a in {l,...,n} choose random b in {l,...,n} 

A = g^ 

B = g'’ 

= k„ = t'° = (g’)" = A'’ 
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EIGamal: converting to pub-key enc. ( 1984 ) 

Fix a finite cyclic group G (e.g G = (Z )* ) of order n 
Fix a generator g in G (i.e. G = {1, g, g^, g^,..., g"-i} ) 


Alice 

choose random a in 

A = g^ 



B = g 


b 


Treat as a 
public key 


Bob 

idom b in 


compute g®^ = , 

derive symmetric key k, 

, encrypt message m with k 


] 
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EIGamal: converting to pub-key enc. ( 1984 ) 

Fix a finite cyclic group G (e.g G = (Z )* ) of order n 
Fix a generator g in G (i.e. G = {1, g, g^, g^,..., g"-i} ) 


Alice 

choose random a in 

A = g^ 


Treat as a 


Bob 


public key idom b in {l,...,n} 


compute g®^ = , 


To decrypt: 

1 j. 

ct= 1 

r derive symmetric key k, 

1 B = g“ , encrvDt message m with k 

compute g®° = , 

derive k, and decrypt 



] 
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The EIGamal system (a modern view) 

• G: finite cyclic group of order n 

• (Ej, Dj): symmetric auth. encryption defined over (K,M,C) 

• H:G^—>K a hash function 

We construct a pub-key enc. system (Gen, E, D): 

• Key generation Gen: 

— choose random generator g in G and random a in 

— output sk = a , pk = (g, h=g®) 
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The EIGamal system (a modern view) 

• G: finite cyclic group of order n 

• (Ej, Dj): symmetric auth. encryption defined over (K,M,C) 

• H:G^—>K a hash function 


E( pk=(g,h), m) : 

b^Zn, u«—v<—h*^ 
k <— H(u,v), c «— E 5 (k, m) 
output (u, c) 


D( sk=a, (u,c)) : 

v«— u® 

k <— H{u,v), m <— D 5 (k, c) 
output m 
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EIGamal performance 


E( pk=(g,h), m): 


D( sk=a, (u,c)): 

u^g^ 


< 

T 

c 


Encryption: 2 exp. (fixed basis) 

— Can pre-compute [ for i=l,...,log 2 n ] 

— 3x speed-up (or more) 

Decryption: 1 exp. (variable basis) 
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Next step: 


why is this system chosen ciphertext secure? 
under what assumptions? 


End of Segment 
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Public key encryption 
fr om Diffie-Hellma n 

EIGamal Security 










Computational Diffie-Hellman Assumption 


G: finite cyclic group of order n 

Comp. DH (CDH) assumption holds in G if: g, g®, g^ 

for all efficient aigs. A: 

Pr[ A(g, g^ g'^) = g®'^ ] < negligible 

where g <— {generators of G}, a, b «— 
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Hash Diffie-Hellman Assumption 

G: finite cyclic group of order n , H: » K a hash function 

Def : Hash-DH (HDH) assumption holds for (G, H) if: 

(g, g^ g^", H(g^g^^)) =p (g, g^ g^", R ) 

where g <— {generators of G}, a, b «— , R <— K 

H acts as an extractor: strange distribution on G^ ^ uniform on K 
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Suppose K = {0,lp^® and 

H: —> K only outputs strings in K that begin with 0 

(i.e. forallx,y: msb(H(x,y))=0 ) 

Can Hash-DH hold for (G, H) ? 

O Yes, for some groups G 
^ O No, Hash-DH is easy to break in this case 

O Yes, Hash-DH is always true for such H 




EIGamal is sem. secure under Hash-DH 


KeyGen: g <— {generators of G} , a <— 
output pk = (g, h=g®) , sk = a 


E( pk=(g,h), m): b ^ Z„ 


D( sk=a, (u,c)): 

k <— H(g^h'^), c <— E 3 (k, m) 


k «— H(u,u^), m «— D 5 (k, c) 

output (g^ c) 


output m 
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EIGamal is sem. secure under Hash-DH 
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EIGamal chosen ciphertext security? 


To prove chosen ciphertext security need stronger assumption 
Interactive Diffie-Hellman (IDH) in group G: 



IDH holds in G if: V efficient A: Pr[ A outputs g®*’] < negligible 















EIGamal chosen ciphertext security? 


Security Theorem : 

If IDH holds in the group G, (Ej, Dj) provides auth. enc. 
and H: —» K is a "random oracle" 

then EIGamal is CCA™ secure. 


Questions: (1) can we prove CCA security based on CDH? 

(2) can we prove CCA security without random oracles? 
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Public key encryption 
fr om Diffie-Hellma n 

EIGamal Variants 
With Better Security 










Review: EIGamal encryption 

KeyGen: g <— {generators of G} , a <— 
output pk = (g, h=g®) , sk = a 


E( pk=(g,h), m): b ^ Z„ 


D( sk=a, (u,c)): 

k <— H(g^h'^), c <— E 3 (k, m) 


k «— H(u,u^), m «— D 5 (k, c) 

output (g^ c) 


output m 


Dan Boneh 






EIGamal chosen ciphertext security 

Security Theorem : 

If IDH holds in the group G, (Ej, Dj) provides auth. enc. 
and H: —» K is a "random oracle" 
then EIGamal is CCA™ secure. 

Can we prove CCA security based on CDH (g, g®, g^ g^^) ? 




Option 1: use group G where CDH = IDH (a.k.a bilinear group) 
Option 2: change the EIGamal system 
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Variants: twin EIGamal [CKS'08] 


KeyGen: g <— {generators of G} , al, a2 <— 

output pk = (g, hi=g^\ h 2 =g^^) , sk = (al, a2) 


E( pk=(g,hi,h 2 ), m) : b ^ Z„ 


D( sk=(al,a2), (u,c)): 

k <— H(g^ hl^ hj'^) 


k <— H(u, u^^ u^2) 

cE 5 (k, m) 


m ^ D^ik, c) 

output (g^ c) 


output m 
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Chosen ciphertext security 

Security Theorem : 

If CDH holds in the group G, (E^, DJ provides auth. enc. 
and H: —» K is a "random oracle" 
then twin EIGamal is CCA™ secure. 


Cost: one more exponentiation during enc/dec 
- Is it worth it? No one knows ... 
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EIGamal security w/o random oracles? 


Can we prove CCA security without random oracles? 

• Option 1: use Hash-DH assumption in "bilinear groups" 

- Special elliptic curve with more structure [CHK'04 + BB'04] 

• Option 2: use Decision-DH assumption in any group [CS'98] 
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Further Reading 

• The Decision Diffie-Hellman problem. D. Boneh, ANTS 3, 1998 

• Universal hash proofs and a paradigm for chosen ciphertext secure public 
key encryption. R. Cramer and V. Shoup, Eurocrypt 2002 

• Chosen-ciphertext security from Identity-Based Encryption. 

D. Boneh, R. Canetti, S. Halevi, and J. Katz, SICOMP 2007 

• The Twin Diffie-Hellman problem and applications. 

D. Cash, E. Kiltz, V. Shoup, Eurocrypt 2008 

• Efficient chosen-ciphertext security via extractable hash proofs. 

H. Wee, Crypto 2010 

Dan Boneh 



Online Cryptography Course 


Dan Boneh 



Public key encryption 
fr om Diffie-Hellma n 

A Unifying Theme 










One-way functions (informal) 

A function f: X —» Y is one-way if 

• There is an efficient algorithm to evaluate f( ), but 

• Inverting f is hard: 

for all efficient A and X'^—X : 

Pr[^(A(f(x))]'T6i'j ] < negligible 


Functions that are not one-way: f(x) = x, f(x) = 0 
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Ex. 1: generic one-way functions 


Let f: X—>Y be a secure PRG (where |Y| > |X| ) 

(e.g. f built using det. counter mode) 

Lemma: f a secure PRG ^ f is one-way 
Proof sketch: 

A inverts f ^ B(y) =j is a distinguisher 

lx 


Generic: no special properties. Difficult to use for key exchange. 


Dan Boneh 


Ex 2: The DLOG one-way function 

Fix a finite cyclic group G (e.g G = (Z )* ) of order n 
g: a random generator in G (i.e. G = {1, g, g^ g^ ..., g"'^} ) 


Define: f: Z 


n 


G as 



Lemma: DIog hard in G 


f is one-way 


Properties: f{x), f(y) 


f(x+y) = f{x) • f{y) 


key-exchange and public-key encryption 
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Ex. 3: The RSA one-way function 


• choose random primes p,q «1024 bits. Set N=pq. 

• choose integers e,d s.t. e d = l (mod(p(N)) 


Define: f: ^ as 

Lemma: f is one-way under the RSA assumption 
Properties: f(x y) = f(x) f(y) and f has a trapdoor 
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/ \ 

f(x) = X® in Zn 

\ _ J 



Summary 


Public key encryption: 

made possible by one-way functions 
with special properties 


homomorphic properties and trapdoors 
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Farewell (for now) 






Quick Review: primitives 
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Quick Review: primitives 

To protect non-secret data : (data integrity) 

- using small read-only storage: use collision resistant hash 

- no read-only space: use MAC ... requires secret key 
To protect sensitive data : only use authenticated encryption 

(eavesdropping security by itself is insufficient) 

Session setup: 

• Interactive settings: use authenticated key-exchange protocol 

• When no-interaction allowed: use public-key encryption 
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Remaining Core Topics (part II) 

• Digital signatures and certificates 

• Authenticated key exchange 

• User authentication: 

passwords, one-time passwords, challenge-response 

• Privacy mechanisms 

• Zero-knowledge protocols 
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• • • 


Many more topics to cover 

Elliptic Curve Crypto 
Quantum computing 
New key management paradigms: 

identity based encryption and functional encryption 
Anonymous digital cash 
Private voting and auction systems 
Computing on ciphertexts: fully homomorphic encryption 
Lattice-based crypto 
Two party and multi-party computation 



Final Words 


Be careful when using crypto: 

• A tremendous tool, but if incorrectly implemented: 
system will work, but may be easily attacked 


Make sure to have others review your designs and code 



Don't invent your own ciphers or mode 












End of part I 



